Password storage is considered harmful
Surely many of you have noticed the password history on bestpersons.ru . I invite them, as well as other authors of web services to the discussion.
The question is, did Bestpersons really need to have a password to access the site (which, in general, was taken away)? After all, no matter how hard you try, it is unlikely to succeed in storing passwords anyway.
Every time you offer the user to save a password (whether it is new, to access your site, or passwords from third-party services) - you take very serious obligations to ensure the security of this password. Some people treat this carelessly, some are more serious - but problems are still possible, which happened to the resource under discussion.
')
All this fussing with passwords is reminiscent of some kind of vigorous desire to keep at home bags of (someone else's) cash. And they know that no matter which door is wooden or iron; even if you keep the shotgun at home, they will still come and get robbed. Is it not safer to keep them in banks, which guarantee a refund in any case?
There are a lot of options similar to "non-cash", which allow you to avoid storing bags of someone else's money passwords. These are: OpenID , Clickpass , OAuth (although it is designed for another), the API logins Yahoo !, Google , Facebook, Hotmail and other providers. From the Russian services, Livejournal and My Circle, which support OpenID, can be used for these purposes.
Most people physically can not remember more than a dozen passwords, and many do not want to remember more than one. And people are registered on hundreds or thousands of sites. Almost everywhere - with a password. The Dirichlet principle , in general, is fully applicable here.
Unfortunately, it is not yet possible to limit yourself to using only services that do not require creating a password for registration - there are too few of them. But, generally speaking, the time has come when for the growth of the number of such services everything is already there. What makes people once again insert a well-known rake into their products?
The question is, did Bestpersons really need to have a password to access the site (which, in general, was taken away)? After all, no matter how hard you try, it is unlikely to succeed in storing passwords anyway.
Every time you offer the user to save a password (whether it is new, to access your site, or passwords from third-party services) - you take very serious obligations to ensure the security of this password. Some people treat this carelessly, some are more serious - but problems are still possible, which happened to the resource under discussion.
')
All this fussing with passwords is reminiscent of some kind of vigorous desire to keep at home bags of (someone else's) cash. And they know that no matter which door is wooden or iron; even if you keep the shotgun at home, they will still come and get robbed. Is it not safer to keep them in banks, which guarantee a refund in any case?
There are a lot of options similar to "non-cash", which allow you to avoid storing bags of someone else's money passwords. These are: OpenID , Clickpass , OAuth (although it is designed for another), the API logins Yahoo !, Google , Facebook, Hotmail and other providers. From the Russian services, Livejournal and My Circle, which support OpenID, can be used for these purposes.
Most people physically can not remember more than a dozen passwords, and many do not want to remember more than one. And people are registered on hundreds or thousands of sites. Almost everywhere - with a password. The Dirichlet principle , in general, is fully applicable here.
Unfortunately, it is not yet possible to limit yourself to using only services that do not require creating a password for registration - there are too few of them. But, generally speaking, the time has come when for the growth of the number of such services everything is already there. What makes people once again insert a well-known rake into their products?
Source: https://habr.com/ru/post/29764/
All Articles