Skip to content

Plenty of Fish Hacked: Sloppy security

January 31, 2011

Just heard that the biggest free dating site in North America, Plenty of Fish, has been hacked. There seems to be some drama behind it as there are stories about an extortion attempt but what interested me was the claim that PoF stores user passwords as plaintext! This is never a good idea. While you’re at it sending user input to the server as plaintext is also a bad idea, use SSL.

To safely store passwords: you don’t store passwords. Instead, a hash of the password is stored. This way, the server doesn’t actually know what the passwords are.  When you want to verify the passwords run it through the same hash function and compare with what you have in your database. Caveat: Don’t use an optimized general hash function because then it can be brute-forced; use one that can be configured to run slowly.

Solution: user bcrypt

P.S. Encryption isn’t the best solution here because all it takes is for your encryption key to be comprised to open the flood gates.

Advertisements

From → Web Development

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: