My recent blog post said that programmers who stored passwords in plain text should be beaten to death with a house brick. That caused someone to email me saying that they thought it was a bit extreme and that perhaps I should consider changing it.
So the first thing I'd like to say is that my comment was not meant to be taken literally but I seriously believe that was obvious. I did have a think about it and I believe the sentiment was justified as a way to highlight the seriousness of the situation and I'd like to explain why starting with some examples.
The first example is the British Pregnancy Advice Service. They have a website which amongst other functions, allows people wanting advice on pregnancy, abortion and contraception to request contact from the charity.
Unfortunately, the charity didn't manage their website development well and didn't know that their website was storing highly sensitive personal information about people who contacted them. Their website was also vulnerable to hacking and someone broke into the site and stole a lot of sensitive personal information.
The charity was fined £200,000 by the Information Commissioner's Office in the UK – something that will certainly hurt badly for them but it was less than the maximum possible fine of £500,000. The charity said they were "horrified at the scale of the fine" but the ICO's Deputy Commissioner said "ignorance is no excuse".
At this point I need to say that I have no idea whether there were unprotected passwords in the BPAS website but at the same time, most attacks by hacking exploit lazy or bad programming that doesn’t adequately protect the data in question.
Then there's the case of Cupid Media who operate a variety of dating sites. In 2013 they were hacked and 42 million user account details were stolen from their server. Sadly these details did include plain text passwords and unfortunately, many people regularly use the same password for every website meaning lots of other sites that they are registered with could also be hacked.
Rather disturbingly I also saw a website recently which had almost no security – the admin elements of the site could be reached if you knew the right URL with no login at all and this website stored both passwords AND credit card details in plain text. Honestly, this is probably the most scary example of bad programming I have EVER seen in my life.
Even the general standard of programming was truly shockingly bad. Unfortunately, the person who wrote that website allegedly does this stuff for a living but honestly shouldn’t.
My point is that if a programmer doesn't understand that storing passwords in plain text is one of the worst possible things they can do then there is realistically no chance that they will understand all of the other security threats or how to keep your data safe.
As the UK Government "Cyber Essentials" scheme puts it "Compromise of information assets
can damage companies" and I completely agree.
So when I said you should "beat them to death with a house brick" I was doing so purely for effect. Don’t do that – just fire them and get someone else!
Plenty of things inspire, interest or annoy me - I thought I'd write about some of them!
No comments:
Post a Comment