30 upvotes, 0 direct replies (showing 0)
View submission: Reddit's Streak of Bad Luck Continues...
[Password hashing] is [easy to implement], and I'll go ahead and do it now...
Please don't just hash the passwords, *salt[1] and hash* the passwords. (It's easy.[2]) If you don't, script kiddies can trivially recover a large portion of unsalted-yet-hashed passwords from a compromised user database with readily available tools (e.g., RainbowCrack).
1: http://en.wikipedia.org/wiki/Password_cracking#Salting
2: http://fora.pragprog.com/rails-recipes/discuss-the-book/post/5
The irresponsibility (and there is some) was allowing our data to get nabbed.
No, the irresponsibility was in assuming that "we won't allow our data to get nabbed" is a reasonable security strategy. Given how frequently databases fall into the wrong hands these days, what made you think your strategy was a sensible way to protect your users' secrets?
There's nothing here!