Thursday, October 27, 2005

Who needs security...

This is another in the "Worst. <insert here>. Ever." series. When designing the login system for our new web application at work, I had the following conversation regarding hashing of passwords over the past few days.

Warning: This has technical jargon in it. I would suggesst something like wikipedia to help decipher it.


Boss: I need to change the MD5 password hashes that you wrote the other day back to the shorter version that I had.

Me: Umm. Why?

Boss: The MD5 hashes are too long to display in the password field.

Me: <blink><blink>Why are you sending the hashes back to the UI?

Boss: I need to know if there is a password set.

Me: <blink><blink>Why are you sending the hashes back to the UI? Can you not set a hidden input that is a boolean?

Boss: Well, really I'm not sending the hash. I'm just sending asterisks the length of the hash.

Me: <blink>So you want to change the hashing algorithm to something less secure so that you can have fewer asterisks? Can you not just send a specific number of asterisks?

Boss: *sigh* I guess. But I've already written the UI.

It's easy to not think about security, I suppose.

No comments: