Re: Password security

[David Pirolo <webmaster () WARNERPACIFIC EDU>]

I'd have to agree with Joe here.  Since it really isn't a requirement or
a law to not store in plain-text, rather is just a best practice, the
only ammo we have is putting pressure on the vendors by using the
products that do adhere to best practice.  

The increasing pressure and monetary fines we face from our regulatory
bodies are really making this more vital to increase the pressure on our
vendors.  Best way to put pressure on a vendor is to threaten to and
start evaluating a competitor who is keeping up with the times.

-David


On Wed, 2012-02-01 at 16:21 -0800, Joe St Sauver wrote:
> Hi,
>
> While I share everyone's concern about plain text passwords, there 
> *are* many, many, mainstream applications that *do* store passwords 
> unencrypted, and often in ways that are publicly accessible. 
> (Anyone skeptical of this can quickly lose that skepticism via a 
> little Google dorking, e.g., see for example
> http://www[dot]exploit-db[dot]com/google-dorks/9/ )
>
> From my POV, the *real* issue is this: given that plain text passwords
> ARE out there all over the place, how do we get that problem sorted? 
>
> I suspect that a straightforward find-and-notify strategy might be an 
> excellent way to trigger a "shoot the messenger bearing bad news" sort 
> of reaction, unfortunately.
>
> Regards,
>
> Joe