>Or, just make it where websites HAVE to state somewhere how they are storing the credentials. It's shocking how many places still use plain text, or encryption and store the key in the database..
I like this idea. Like a Surgeon General's Warning for the web. I wouldn't want the government making specific laws about hashing, but requiring transparency and disclosure about how data is stored would be useful in a variety of ways.
The concern I have with this is that it provides a bit too much information to potential crackers. Security through obscurity is nothing to rely in, but it doesn't hurt to have a little. It's why disabling the reporting of http server version information is a common practice in hardening a server.
OTOH, it may be worth it. It's shocking that LinkedIn could be so negligent, especially after high-profile screwups like gawker.
>The concern I have with this is that it provides a bit too much information to potential crackers.
Only the script kiddies. The ones you have to worry about have bots and automated scans that can figure that stuff out in an instant.
Yeah, unbelievably shocking that such an advanced web company as LinkedIn could be so negligent. Amateur bitcoin sites, social media sites, venerable Web 1.0 ones like Last.fm don't surprise me much, but LinkedIn? WTF.
I like this idea. Like a Surgeon General's Warning for the web. I wouldn't want the government making specific laws about hashing, but requiring transparency and disclosure about how data is stored would be useful in a variety of ways.