Cake
  • Log In
  • Sign Up
    • Thanks for bringing this up, @yaypie. Password hashing and salting a hash must be arcane concepts to non-programmers ("First you're not even storing my password, and then you're adding random garbage to what you store - how can this even work?"), but this is very important to every single one of us who has at least some important data secured by one of these things. :)

      A quick back-of-the-envelope calculation shows that only a quarter of passwords in this hack were stored in a secure way, with the security of the remaining remaining quarters being either dubious (MD5+salt?; same salt for the whole table?) or outright crazy. This just isn't enough!

      My last encounter with someone not quite understanding the value of hashing and salting correctly is much less spectacular than this, but still shows the general problem:

      Last year, I participated in a prize competition where I had to enter my mail address. After doing that, I received a mail stating that I needed to confirm my address for GDPR reasons. This mail contained a link for me to click on, which was built like this:

      <domain>/confirm/?mail=factotum@example.com

      The URL contained my mail address as plain text! I would have been able to "confirm" any random address I added to their database, even without having access to that mail address. Using the right addresses (some privacy lawyers come to mind), this could have caused them a good amount of trouble.

      I contacted them and explained the issue - and they replied, thanking me for bringing this up and mentioning that someone "is working on solving the problem (MD5 hash)". This mention of a hashing algorithm was oddly specific, so I tried participating again from a different address. In fact, the link I received this time was

      <domain>/confirm/?hash=cd13b6a6af66fb774faa589a9d18f906

      Using an MD5 hash generator, I quickly confirmed that the hash used was created from the mail address string without any salting. They changed the process slightly, but didn't make it any more secure than it was before. Obviously, they didn't have any real understanding for what hashing (and salting) really is.

      (Try it out yourself: how long do you need to find out what this hash stands for?)