{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 我想做一个坏孩纸 的问题《Why are plain text passwords bad, and how do I con》','https://www.manongdao.com/q-1168938.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I've always been of the impression that storing passwords in a database as plain text is (as someone else here put it) a Very Bad Thing™.
Historically, most of our server-side coding needs have been contracted out to a group of programmers. They store passwords in MySQL databases in plain text.
As the resident code monkey (incidentally, the first server-side-savvy monkey to work here, so I'm inheriting the earth, so to speak) I have this pit of the stomach feeling that it's my bum that will be on the line when this plain text nonsense is exploited.
I tried to explain to my boss how very very bad plain text passwords are, but it dawned on me: I don't think I've ever really know why they're so bad. Is there more to it than handing your hackers a list of passwords on a silver platter? That sounds bad enough for me, but in la-la land, where our websites are "secure" and impervious to any hacker, this argument doesn't seem to cut it. How can I convince (or scare) my boss into demanding hashing on his treasured websites?
Related: Encrypting/Hashing plain text passwords in database
The two good answers I have seen promulgated for this question are:
You protect the passwords from snooping employees, i.e. people that have legitimate access to the database cannot easily steal a password should they feel so inclined,
A application logic flaw, such as an SQL injection one on a web site front end, will have a reduced chance of resulting in a compromise.
In my opinion it's a good idea to encrypt database password (although I'm yet to get around to doing it for most of my apps) but of far more importance is to make sure your database server is as bullet proof as possible with respect to network and authorised access. If an attacker can get to your database then it won't matter what how you've stored your passwords they will be able to break them.
Here are a few reasons:
You may wish to point out that failure to properly secure the accounts could be exposing the company to legal liability if the information were ever compromised. Ignoring a known vulnerability could wind up costing you in legal fees if a user's data was exposed as a result of your company's actions (or inaction, as the case may be).
In the United States, there are certain types of data, such as financial and medical information, that companies are legally bound to keep secure and private. Failure to do so can have serious consequences. I'm not familiar with other countries' laws in this regard, but it's something worth looking into if your company is dealing with such data.