I've always wondered why password hashing is not a law (at least in the US). There needs to be an agreed upon minimum level of security for storing credentials.
Or, just make it where websites HAVE to state somewhere how they are storing the credentials. It's shocking how many places still use plain text, or encryption and store the key in the database..
It's pathetic that a major company like LinkedIn is simply storing credentials with a SHA1 hash. At LEAST use a really good salt...
>Or, just make it where websites HAVE to state somewhere how they are storing the credentials. It's shocking how many places still use plain text, or encryption and store the key in the database..
I like this idea. Like a Surgeon General's Warning for the web. I wouldn't want the government making specific laws about hashing, but requiring transparency and disclosure about how data is stored would be useful in a variety of ways.
The concern I have with this is that it provides a bit too much information to potential crackers. Security through obscurity is nothing to rely in, but it doesn't hurt to have a little. It's why disabling the reporting of http server version information is a common practice in hardening a server.
OTOH, it may be worth it. It's shocking that LinkedIn could be so negligent, especially after high-profile screwups like gawker.
>The concern I have with this is that it provides a bit too much information to potential crackers.
Only the script kiddies. The ones you have to worry about have bots and automated scans that can figure that stuff out in an instant.
Yeah, unbelievably shocking that such an advanced web company as LinkedIn could be so negligent. Amateur bitcoin sites, social media sites, venerable Web 1.0 ones like Last.fm don't surprise me much, but LinkedIn? WTF.
There are problems with mandating standards. Mostly because they change a lot and will cause undue overhead to many companies. The government (NIST) already publishes standards, there is just no mandate that you use them.
To be clearer, my point was that HN not using HTTPS doesn't seem like a reason not to require sites to use HTTPS, let alone introducing any security regulations at all.
To be clear myself, the point is that there are bigger fish to fry. Mandating one practice when we can't even implement another smells like issue of the week.
All standards become obsolete eventually. Mandating them by law is a sure road to legacy legal cruft hurting the legitimate aims it was put in place to help.
Or, just make it where websites HAVE to state somewhere how they are storing the credentials. It's shocking how many places still use plain text, or encryption and store the key in the database..
It's pathetic that a major company like LinkedIn is simply storing credentials with a SHA1 hash. At LEAST use a really good salt...