Security : never store passwords in clear text
I was reading the first publication of Reflex magazine this morning. An Science + IT + Innovation magazine that is affiliated
with the EPFL. The main subject of this month
is the security in IT, a subject that I am higlhy interested in these days.
The security of softwares that we are using and building is vital, especially in the trading and banking area. The need of security is growing every day because of the increasing complexity of web applications. Moreover, wifi is used more and more often and a wide scale.
In this magazine we can read that a Swiss company from geneva is growing by providing security consulting. It's fun because the team is formed by hackers that are paid to prove that the client system is not secure by entering and breaking it. They claim that attacks they provide are sucessful in 98% of cases.
Even if I am not security specialist, I see architectural security flaw just by looking at a trading website. The security vision of certain famous tools are sometimes frightening. For example, I am using the widely used Basecamp tool. By looking at my account options, I can see that the password field is not empty. What the meaning of that ? What is the informations in this field ? Believe me or not but your password is displayed in clear text in the HTML source code. Not to mention and that the site is vulnerable to XSS attacks. But the worse part is that these passwords have to be stored clear text in a database. Guys from reddit.com have made the same mistake and begins to pay for this because of some hackers that have stolen their database.
The problem is event bigger because users usually wan't remember a different password for every little web applications that they use. So they use often the same password. Because of that others services become potentially insecure too.