
26/43 freelancers chose “plaintext” to store passwords - technion
https://twitter.com/PwdRsch/status/1103021803503607808
======
nwrk
Seen many specifications when security is NOT required and/or client don't
want to pay for it / don't care.

Security comes with cost and effort.

*Researchers asked 43 freelance developers to code the user registration for a web app

He get what he exactly asked for.

~~~
nobrains
The right approach from the developers who decided to store text as plain
text, would have been to highlight this to the requestor, and indicate that it
would cost extra. More business for them, and better end result for the
requestor.

------
offbytwo
What's the industry 'standard' nowadays? I assume SHA-256 would be decent but
I don't really keep up with that stuff.

~~~
magnetic
I don't know what the industry actually does, but what it should probably do
is use bcrypt.

[https://en.wikipedia.org/wiki/Bcrypt](https://en.wikipedia.org/wiki/Bcrypt)

~~~
marpstar
On a project I started last year, I used SHA512 (probably overkill but who
cares) and then bcrypt. Allows users to have passwords of arbitrary size with
the goodness of bcrypt.

Then AES256 the result and use that. I read somewhere that's what Facebook
does.

