

Another software fail: Trapster loses emails & passwords - SoftwareMaven
http://wl4.peer360.com/b/21149i2125JE276H0ogX/main.asp?hl=-1&utm_medium=email&utm_source=peer360&utm_campaign=Trapster+Compromised+Accounts+Messaging+-+D7&utm_content=trapster+header_600

======
desigooner
I think it should be mandatory for any software/service that stores user data
to have a security bootcamp before deploying their solutions teaching good
robust design, how to approach writing secure code and have the necessary
checks and balances to avoid vulnerabilities. It'll save them the heartburn
and embarrassment to a good extent. Web Security is really under-rated by most
developers and with the ease of deployment these days using services like AWS,
it is just exacerbated.

I really hope I didn't go off on a slant here but with cases like Diaspora's
design flaws, Gawker compromise, and now the Trapster fail, the trend's on the
rise.

On that note, any recommendations or pointers on where to start from the
security pros on here?! Thanks.

~~~
manvsmachine
courtesy of tptacek's HN profile: <http://amzn.to/cthr46>

~~~
desigooner
Thanks for the link and Thanks to tptacek for creating such a list. I had a
couple of books on there. Created a wish list for the rest of them!

------
pwman
Use LastPass and generate random passwords, you'll just chuckle at the next
company that does this rather than freak out...

~~~
16s
Or try sha1_pass and _never_ bother remembering any password ever again.

~~~
pavel_lishin
Why not just throw together a quick command line one-liner?

Something like:

$ md5sum -s "This is my password for myspace.com" | sed -e 's/.*= //'
cfef4c6930843c33660b7c2e407c09c5

Except you'd probably want to toss it through something to add more special
characters, etc. Added bonus - available on any system.

------
pavel_lishin
I hope they do a post-mortem and explain where they went wrong.

------
kmfrk
Great. Now LinkedIn are going to reset my password again.

------
drivebyacct2
I'd like some sort of "guarantee". I want to sign up on websites that have
some sort of seal: "We store passwords according to the XYZ spec". Some
combination of bcrypt and comprehensive salting. If user data is ever
compromised, users recourse to sue. Of course, no site ever do this because
users just don't care and it would be a near-valueless liability.

I just don't understand how anyone can store a password in clear text. I have
peers in college that couldn't edit the world's simplest VB6 application, but
they know not to store passwords in cleartext.

~~~
tptacek
So you know: bcrypt is inherently randomized. You don't need to
"comprehensively salt" it.

~~~
drivebyacct2
:) Exactly why someone else would be writing the spec! I know just enough to
be dangerous, but meta-fortunately, I'm also aware of that fact.

