I recently wrote a post about how to correctly hash passwords using PHP. As this story was shared on reddit it was met with the normal trolling almost every post gets on the platform. One of the issues was why did I mention such things as MD5 and SHA when the post was about correct way of password hashing. My response to this was because most tutorials (usually aimed at beginners) recommend hashing passwords with functions such as MD5 and SHA1 and I dedicated a paragraph of the article to explaining why these where bad points and why not to use them.
The said troll also added “truly terrified by the thought of someone paying a “developer” who doesn’t know basics like that” whilst I fully agree with him on this point, sadly its the way the industry is at present. This is not only a problem with beginner developers and tutorials though, its a inherit problem in the industry and on the largest sites in the world, here I list some of the data breach’s and what was found.
http://tutsplus.com/ (envato) – Do as I say and not as I do couldn’t ring more true here. Envato runs probably the biggest chain of tutorial sites on the internet and has numerous articles about security and password security yet after a database breach back in 2012 found they where storing password of the premium service in plain text! They went on to blame a ‘3rd party plugin’ called aMember for the issue which is even more worrying that they are running code which they have no idea what its doing.
http://LinkedIn.com – LinkedIn is the go to social network platform for businesses and professional individuals. In 2016 a leak of the social networks database was offered for sale which included over 164 million accounts believed to have been taken back in 2014. The passwords where stored in a SHA1 hash without any salt meaning the majority of passwords where decrypted in days of the leak.
http://myspace.com – One of the pioneers in social websites myspace was believed to have been compromised back in 2008 but the database was made available in 2016. With in the data over almost 360 million accounts was the password stored in a SHA1 hash
http://vk.com – Vk is the largest social network in Europe based out of Russia. in 2012 the platform was hacked and over 100million accounts and passwords where exposed in 2016. As with tutplus the creators of VK decided not to bother with any password hashing or encryption and just go with the plain text storage for passwords.
http://fling.com – Self billed as the worlds best adult social network, which primary aim is to silicate affairs and cheating was breached and data leaked of more than 40 million members back in 2011. Not only where sensitive messages and details exposed in the leak but also all the users passwords which, again, where stored in plain text.
These are just a few of the big names who continue to get this wrong, Sony and Tesco are also guilty of plain text password storage whilst many others use poor hashing methods and poor implementations of salting which offer very little extra protection.
As originally stated, I agree with the trolls views that its a scary thought but with the major players in the industry getting this wrong and the huge amounts of poorly constructed tutorials, beginners don’t stand much chance of getting this right first time. It’s up to us as a community to highlight such issues and explain why such practice is bad even if we all agree it shouldn’t be happening.
Let’s teach rather than just hate, we might just prevent the next data breach from being useful.