Why are plain text passwords bad, and how do I convince my boss that his treasured websites are in jeopardy? [closed]

by

In the military it’s called “Defense in Depth”. The theory is that you harden every layer you can rather than hardening just one layer and hoping it’s enough.

I’ve heard databases like yours called “hard on the outside, soft and chewy on the inside”. There are a million ways a dedicated hacker can get access to your database. Social engineering, a disgruntled employee, an ex-employee who decides to see if his login still works, or that backdoor he wrote is still there, one missed OS patch… the list goes on.

If a bad actor gets access through any of these methods, instead of just getting the data, he gets access to every username/password combination of every user of your system, and as someone pointed out, people often use the same combo for every website. So your hacker goes out and owns hundreds of people’s Paypal, email, and bank accounts.

Have I painted a gruesome enough picture yet?

More Related Contents:

  1. Is it worth hashing passwords on the client side
  2. Automate Extended Validation (EV) code signing
  3. getpasswd functionality in Go?
  4. Implement password recovery best practice
  5. How can I make an expect script prompt for a password?
  6. android lock password combinations
  7. Automate Extended Validation (EV) code signing with SafeNet eToken
  8. Why is sudo not accepting my sudo password? [closed]
  9. C Password Log giving me errors
  10. Secure hash and salt for PHP passwords
  11. How to provide user name and password when connecting to a network share
  12. How to generate a random string in Ruby
  13. SHA512 vs. Blowfish and Bcrypt [closed]
  14. Generating Random Passwords
  15. Cannot import the keyfile ‘blah.pfx’ – error ‘The keyfile may be password protected’
  16. What algorithm should I use to hash passwords into my database? [duplicate]
  17. Why does JPasswordField.getPassword() create a String with the password in it?
  18. password_hash returns different value every time
  19. How to have password echoed as asterisks [duplicate]
  20. a better approach than storing mysql password in plain text in config file?
  21. PHP regular expression for strong password validation [duplicate]
  22. Way to securely give a password to R application from the terminal?
  23. How to make Chrome remember password for an AJAX form?
  24. How to login and authenticate to Postgresql after a fresh install?
  25. Should I impose a maximum length on passwords?
  26. Make Android WebView not store cookies or passwords
  27. C command-line password input
  28. What would be the Windows batch equivalent for HTML’s input type=”password”?
  29. Disable drop paste in HTML input fields? [duplicate]
  30. How do I safely store database login and password in a C# application?

Leave a Comment