Discussion in 'Article Discussion' started by CardJoe, 16 Dec 2009.
These people sound like idiots, but I wonder how many other companies have databases that are similarly unsecure...
I'll bet it's more than we'd even like to think about!
Most of their "gadgets" are rubbish anyway, I'm glad I don't use their "services".
Why on earth would they store passwords in their database? That's as irresponsible as it gets.
This quote on their homepage made me laugh too -
No, obviously we don't 'know'...
no need to keep passwords, n00bs. If your data is that insecure i believe you should be able to sue.....
This is why you keep your personal information off the Internet as much as you can. Nothing is safe or secure anymore.
What kind of n00b stores passwords in plaintext >_<
And that concludes lesson 101 in why you shouldn't rely on SSL alone to secure user data - just because the user session is secure from snooping doesn't mean someone can't extract the data from your database. At an absolute minimum, passwords should be irreversibly hashed before being entered into a database. Preferably use a salt with hmac (http://uk3.php.net/manual/en/function.hash-hmac.php) to prevent simple collision searches on hashed data. Hashing does increase database size (a typical password might be 8 chars, a typical hash is 128 or 160 bit, i.e. 32/40 hex chars or 27/22 base 64 chars) but that is a small price to pay, and the difference is unlikely to have substantial diskspace / performance implications unless we're talking about a database the size of Facebook's.
Also, encrypting everything isn't a bad idea (though usability / performance implications may make it impractical). Lastly, what clown left the backdoor open? It isn't hard to unescape every user passed parameter to guard against mySQL injection. http://uk3.php.net/manual/en/function.mysql-real-escape-string.php
I think I've got a Bebo with RockYou Horoscope on it from about 4 years ago with the name Bigsharn Macwartbutt and the address of the whitehouse... so I'm not worried
Awesome... wow... that's retarded.
That is some special skills right there...
pfft no encryption,
10 days to inform everyone.
What a bunch of c*Nts
Separate names with a comma.