A recent article on CSO online ponders the question of whether or not passwords are dead – since they are not much of a security countermeasure anyhow (or so the article intimates). The article quotes a person who seems to believe that SQL injection attacks have to do with password security.
Christopher Frenz, CTO at See-Thru and a faculty member at Mercy College, both in New York, says the problem is, “not because of passwords being obsolete, but because of the prevalence of bad passwords and bad password practices.”
He points to the 2009 SQL injection attack on the social media site RockYou that compromised 32 million user account passwords. “The only password security requirement was a password of at least five characters,” he says, “(which) resulted in people choosing passwords such as 12345, Password, rockyou, and abc123,” plus common dictionary words.
Besides that, the passwords were stored in plain text format, along with users’ email addresses.
Frenz says some websites (Hotmail recently among them) now require more complex passwords with multiple character types.
SQL injection attacks on Web sites are made possible because of poor coding practices that take input strings from forms or query strings and concatenate with SQL snippets like this:
2′;Update tbl_accountParent set Email=Email+’;firstname.lastname@example.org’;select * from tbl_accountParent where ‘1’=’1
From now on, whenever any user asks for password reminder, Mr. Obama will get a nice email with his user name and password.
And frankly, I don’t understand programmers or Web site operators who tolerate storing passwords in plain text or encrypting them instead of using one-way hashes
Maybe a bunch of people should read the online introduction to cryptography by Dan Bernstein.