-
Notifications
You must be signed in to change notification settings - Fork 0
Do All You Can, and Nothing More
I couldn't resist including this bit from Troy Hunt
This little phrase often pops in situations where things may be a bit beyond your control (and frequently accompanied by the mention of a deity). In the world of software, we as end users unfortunately don’t have much say as to what goes on under the covers. In fact about the only thing we can control is our password and how we use it (and even then, often within tight constraints).
Software developers use dodgy practices. Frequently. You’ll find that in the previously mentioned examples of Gawker and rootkit.com (the latter didn’t even salt their password hashes) and you’ll observe it firsthand every time you logon with no HTTPS or are sent your password in clear text. So what do you do about it? Well, as an end user you have absolutely zero control over it. Incidentally, this is the same level of control you have over allowable password retry attempts, delays between retries and account lockouts. Nada. Zip.
Look, if you’re a software developer and you want to put some effort into security, go read the OWASP series. If you’re someone who creates passwords in other peoples’ systems then go read the passwords series.
What you can’t do is get up and bleat about “well it’s not my problem, the developers should have implemented it securely” because it is your problem and the only thing you can do about it is to construct and protect your own passwords. There’s one thing for sure; when that dodgy MD5 hashed database with no salt gets disclosed and yours is the lowercase password, you’re going to be first in line for exploitation. And remember, you often have absolutely no visibility as to how a website stores your password.
http://www.troyhunt.com/2011/04/bad-passwords-are-not-fun-and-good.html