When I saw this piece in my google reader, I thought: that’s interesting, so I headed over and checked it out thinking that I get some information about are the practices at big companies. Somewhat disappointingly it was just a link to a tutorial which looks like it was written by someone who is just getting into security but has no solid grips on it. Postings of this quality on the tucows blog makes me wonder about the quality of their code. The problems with the mentioned article are:
- It attempts explain about MD5 and hash algorithms in general, however it does a poor job. For example it doesn’t explain why it lends itself to brute force attacks (which btw can be explained very simply by saying: because the same string always generates the same hash, you can simply try to generate all the strings, hash each one of them and see which one gives the same hash) and while it does mention salted hashes it fails to mention what they are or the fact that they can provide protection against bruteforce attacks (if they are not known – for example supposing that only the database part of your site was compromised) and / or against pregenerated tables.
- The code provided as example is riddled with SQL injections, and while it’s true that recent versions of PHP come with magic quotes turned on by default, the article writer should at least mention this assumption, so that people who copy the code know about it and can counteract if this asumption is not true. Pear Db or precompiled queries are also not mentioned, even though they can provide a defense against SQL injection attacks.
- In the original tucows posting mentions e-mail-ing a link to users where they can change their password, however it fails to mention the security aspects of this, like it should use HTTPS, it should not be possible to easily guess it and it should expire after a certain time. I know that for many security is an afterthought, however at least think about it when you are talking about it!