

Facebook Rival ConnectU.com's SQL injection vulnerability: a story of pathetic hubris - tomh
http://socialscienceplusplus.blogspot.com/2007/08/connectucom-sql-injection-vulnerability.html

======
run4yourlives
DO NOT STORE PASSWORDS IN PLAIN TEXT

DO NOT STORE PASSWORDS IN PLAIN TEXT

DO NOT STORE PASSWORDS IN PLAIN TEXT

DO NOT STORE PASSWORDS IN PLAIN TEXT

Obviously, this still needs to be said. Every modern database has an encrypt
function that you can build right into the SQL string.

~~~
aston
Reddit did it. There's a valid user happiness story to tell there, when you
can actually give a person back the password they were using.

What you really mean is, don't insert user-submitted content into SQL queries.
And in reddit's case, don't keep user data on local storage.

~~~
vegashacker
I hate when websites store my password. It's quite irksome when, if you forget
your password, they send it to you plain, in an email, instead of just sending
you a reset link. When I get these emails, I know they are storing my
password, and in all likelihood, they are storing it in plain text. The worst
offense was when I once ordered some business cards: Packed in with my
shipment was an invoice with my password on it. Huh?

We never know our users' passwords. There's a brief moment, during
registration, when we technically have their password, but it is immediately
thrown away after we store the hash of it in the DB.

~~~
asdflkj
Obviously, you're not a typical user (unless the website in question is geared
toward security enthusiasts, maybe). We admire your conscientiousness, but
your preferences are more or less irrelevant for someone who wants to figure
out what users want.

~~~
run4yourlives
>to figure out what users want.

Most of them prefer secure systems.

~~~
asdflkj
That's a meaningless statement. Are you implying there is a definite line
between secure and insecure systems? That's false. Are you saying that given a
choice between a security feature and a convenience feature, most users will
choose the security one? That's false too. Are you saying that if you ask a
user, "do you prefer secure or insecure systems?", he'll say "secure"? That's
true, but irrelevant. There are a dozen more ways that could be interpreted.

~~~
run4yourlives
I'm saying that if you gave the option to users about whether they would like
the site to store their passwords in plain text or encrypted, most would
choose the latter.

The argument that "we can give the the same password" is bunk. You don't even
know if that's the user you're giving the password to!

The password could be reset and the user could change it back to the one they
were using previously. Clearly, if they've forgotten it, I'm not sure why you
figure it's so important for the password to stay the same.

~~~
asdflkj
And if you gave the option to users of being able to retrieve their old
password or have a new one generated, most would choose the former. And if you
explained the drawbacks and advantages of each approach and made the user make
an informed decision, most users would just click the Back button.

~~~
run4yourlives
>And if you gave the option to users of being able to retrieve their old
password or have a new one generated, most would choose the former

Do you have any evidence at all to support that?

~~~
asdflkj
No, i don't have any evidence, other than anecdotal. It's what I would prefer,
because changing the password from random to something that I might remember
is an extra step, and an unnecessary one unless security really matters (e.g.
money is involved). I took it as given that people prefer less work over more
work.

