You are browsing around the internet, and you discover a cool website. It’s brand new, and it’s awesome. It has all to cooking tips you could ever imagine, and it even allows you to upload your recipes and create a cookbook online custom to you. You can send it to your friends, or even order a custom bound printed version with you picture on the cover for just $12.99. You’re psyched. All you have to do now is create an account.

You are a member of like fifty little websites like this. There is no way you will ever remember a different password for each one, or a different username for that matter. You just type in your standard normal username and your standard normal password. This is the same password you use for your Chase bank account, your e-mail account, your reitrement 401k account, you know, everything.

Nedry Burns, the proprieter of our cooking site, just learned Ruby on Rails about a month ago. He’s 16 years old, and his Aunt Tiff hired him to make the site for her. He’s a mad genious when it comes to design and usability. He’s going to go to SCAD and make it big. What he doesn’t know about is security. If he ever locked the door to his suburban home, he’s for sure be dropping a key under the mat out front. He’s not even sure they have a key to their back door or garage. He just expects everyone to be honest because, well, he is.

Gregor Mischovichishtikniovach is surfing along, and he notices Nedry’s cooking site. His wife Milkviastlatsa would love to try your recipe for Tofu Lasagna. He signs up for an account, but as he does so he notices that Nedry has a “send me my password” link. Hrm…

Gregor clicks it. Nedry’s site is fast. Gregor’s password arrives in his inbox withen 3 seconds flat. This makes Gregor happy. Can you guess why?

Because Gregor is now rich. Gregor goes back to Nedry’s site, runs a single line of SQL code in one of Nedry’s forms, and he now has the usernames and passwords of every user. Now it’s just a matter of going to each banking website, logging in, and tranferring your cash to his bank account. Of course Gregor would probably end up in jail for this, except that Gregor isn’t his real name. He doesn’t live in the Ukrain. He doesn’t even have a Swiss Bank account. Gregor is really Ronald P. Wartman who lives next door to Nedry Burns in the burbs of Montana. He’s also a 16 year old Genious. He’s going to go to MIT with your money and someday reinvent your banking website. Of course he can never protect you from your own stupidity of using the same password for every single website. But he can try. After all, that’s what you paid him for… Even though you didn’t want to.

Lessons?

1. Don’t use the same password for every site. If you really really just can’t remember more than a few passwords, then have “teirs”. Use one password for these little cooking sites. One password for your e-mail. One password for your banking/financial sites.

You could use some sort of master password tool… But then how do you access your sites from your cell phone, or a public computer?

2. If you are Nedry, don’t ever Ever EVER store passwords as plain text (BAD NEDRY! BAD!). Hash them. It’s so unbelievably simple to do. Here is the code in PHP:

//get the password from the user
$password = $_REQUEST['password']

//hash the password
$hashedPassword = md5($password);

//now run your login script.

With this, your passwords would be stored in the db looking something like this: 1f3870be274f6c49b3e31a0c6728957f. Then even if someone gets all the passwords, they can’t do anything with them because they have no idea that 1f3870be274f6c49b3e31a0c6728957f = ‘apple’.

Of course, there are rainbow table attacks and the like, but you can fight those by simply changing your hash function to:

//hash the password
$hashedPassword = md5(“asdf78223h9)_**&^” + $password + “*^$JKB^*78″);

But that’s a different post entirely…