mmmm Salty passwords
-
I was having a code review session and found out that the password is just being hashed and stored in the db. The db had a field for salt when i designed it and I specifically asked to use the salted hashes. So i suggested the developer to use the salted hash and he agreed. Later i asked him and he said he implemented it. Now 3 months later I am working on some query optimization and during this i run a query on the user table and to my surprise the salt field contains "mmmmmm Salty passwords..." for all the records. And when i checked the code, the code contains this hard coded string in register action method (asp.net MVC). Good thing is that the developer left the organization otherwise I would have been serving a life sentence for killing him.
-
I was having a code review session and found out that the password is just being hashed and stored in the db. The db had a field for salt when i designed it and I specifically asked to use the salted hashes. So i suggested the developer to use the salted hash and he agreed. Later i asked him and he said he implemented it. Now 3 months later I am working on some query optimization and during this i run a query on the user table and to my surprise the salt field contains "mmmmmm Salty passwords..." for all the records. And when i checked the code, the code contains this hard coded string in register action method (asp.net MVC). Good thing is that the developer left the organization otherwise I would have been serving a life sentence for killing him.
-
