Tuesday, April 2, 2013

mcafee Y U NO hash passwords?

from here (source image)

thanks to dave lewis for tweeting this insanity. the password has a maximum length and can't contain special characters? yeah, that's because they're storing the passwords in plaintext - the database field has a space limit and special characters could lead to a SQL injection.

if they hashed the passwords like they're supposed to, neither of those problems would be an issue. and this from a supposed security company? more like an insecurity company. holy crap.

3 comments:

dfrier said...

This is so if you forget it they can email it to you.







kurt wismer said...

and that is precisely the WRONG way to deal with forgotten passwords.

send a link (that can only be used once) to a change password feature rather than send the original password.

dfrier said...

Ah, yes, well, you missed the next four lines of my comment because I used angle-brackets, which is not good here.

{facedesk}
{facedesk}
{facedesk}
{facedesk}