Grinding My Gears – Stored Passwords

WASHINGTON - FEBRUARY 12:  James Locher III (C...

Personally, I don’t think that software needs to be so god damned difficult to make. I mean, if you follow the “standards and practices” that you see standardized and practiced by the broad majority of today’s websites you could come to no other conclusion.

Three days ago i signed up on a website, one that I am quite sure has been around for a good portion of the web epoch as they tout themselves as being 2.0 compliant – whatever the fuck that means — and low and behold I was sent something that I never in my life fucking wanted. Never in my life would I ever need to be sent something that I had given to them. I don’t need it, I don’t want it as it is a sure sign of an amateur dev team and the fact that it exists is almost enough to cause me to want to scream.

My god damned password.

Now look, folks. I am no idiot. You fuck heads at Mega-Corp Web development firm need to realize something here, and its something that took me all of 2 months to realize back when i was first beginning in web development, so i will simply share it and hope you stop being idiotic about it. You don’t need to know my password. In fact, you don’t need it in the grand scheme of things, there is no reason for you to have it in your database and its not something that is negotiable, it is an expectation, it’s a fucking requirement.

No, I am not being difficult, and I’m not even expecting too much. I am simply choosing to point out something simple, something that should never have come up in the first place — You don’t store my god damned password in your database(s) you store the hash of it.

We are here in damn near 2010. We were promised a bunch of shit, from fucking flying cars to god damned hover boards and a space war between us and some bug looking alien race. The last thing i wanted to still be arguing over was the security provisions that YOU are supposed to be implementing to keep my information a secret. I am an avid Facebook Security lockdown proponent and I have chosen to omit myself from dozens of websites that are just plain not going to take car of me in the long haul because… for fucks sakes… I don’t want person X having my personal information. If i wanted to give Harry Hacker my Credit Card information i would just walk up and give it to him. The reason i use your website is because of information and services you provide.

So that said, let’s go exploring and see what we can find. http://lmgtfy.com/?q=How+to+store+passwords

On the front page of the google listing are two interesting choices

  1. A blog entry similar to mine – http://…/never-store-passwords-in-a-database
  2. Wikipedia #Password – http://en.wikipedia.org/wiki/Password

With a little poking around you can easily find a large quantity of posts that will help convey the importance of storing the password hash and not the free text version of the password without effort, and delving a little deeper you can find out how companies that are conscious of the implecations of password security handle retrieval, because as egregious and exceptionally disappointing as it is the receive my password when i log in… when i try to retrieve it and get it emailed to me all you have done is simply confirm my darkest fears. I hope your website is DDOS’d into oblivion.

Further Reading:

  1. Developing User Systems – http://blog.gneu.org/writings-ramblings/developing-user-systems/
  2. Developer Responsibility – http://blog.gneu.org/2007/11/developer-responsibility/