Encrypted Password Database
Join LibraryThing to post.
This topic is currently marked as "dormant"—the last message is more than 90 days old. You can revive it by posting a reply.
Why does LibraryThing store passwords in plain text? This is _very_ scary knowing that Bill O'Reiley's database of users was recently stolen along with passwords of all his members.
I'm not a webappsec expert, but wouldn't storing the passwords hashed with a salt be more secure than storing the passwords in plain text? You wouldn't really have to give up any of the conveniences of your current system... people would still be able to "reset their password." It would be a huge gain for users though because passwords wouldn't be stored on your site with the potential to be stolen by a hax0r.
Do we know that passwords on LT are kept in plain text? LT wouldn't be the only site to keep passwords in plain text, but just about every PHP book I've ever encountered has talked about how bad an idea that is. OTOH, unless you've hacked into the tables, I'm not sure how you would know.
I'm guessing that he knows because we helped him recover one.
Here's the deal. The standard way sites deal with security is to store passwords as hashes, but to require an email--used to send a new password if you forget your old one.
LibraryThing grows out of a different idea of security—one that takes as its principle value not requiring any personal details. This includes emails addresses. LibraryThing does not require members to enter anything other than a user name and a password. A majority do not give us their passwords, making a "reset" impossible. Rather, when a user is really in trouble, we tend to have a conversation about it. (Nine times out of ten they say their password is "MickeyMouse" and we notice it's "MineyMouse.")
The point of this sort of security is less to protect your account than you. Without personal information, authorities interested in your books would have a harder time tracking you down. (They'd have to subpoena access logs, assuming we had them for the period in question, and actually those wouldn't necessarily help, as standard web logs don't say who you're signed in as, just where you went.) In this spirit, we also separate our PayPal system from our account system, although someone who subpoenaed both companies and compared the logs second-by-second could probably figure it out.
This idea of security is a very library-ish one. Libraries generally try to protect patron data by not connecting the data to the patron, or by throwing it out immediately, not by encrypting it.
I think a fair compromise would be to hash passwords if the user has an email account—and clicks on a confirm link.
I understand the reasoning. As the net has developed, I think that for some people usernames have become nearly as good an identifier as email addresses. There are people on LT who I recognize from other systems. This may tend to undermine some of what you are trying to achieve.
I need someone to agree or disagree with my plan. I think it's a good combo, but I need an amen...
Tim, your post taught me something about LT as well as internet security in general. I like both your original reasoning and the compromise. So ... amen.
>4 dcmdale: True, but of course it's the user's choice to recycle another user name. That said, it might be good practise for LT to alert users of the implications of what they're doing, and how using their standard approach to login & password might undermine their own security on LT in a way that wouldn't arise on other sites.
Sounds good to me.
I agree with >7 elenchus: That LT ought to give people some sort of alert that they are making an important choice about their Internet security when they sign up. Yes, I know that we are supposed to use different passwords for various websites... but seriously, given the number of sites many of us have been on at some time or another, only a computer could keep track of it all, not my brain. And I certainly didn't guess when I signed up that this would become so important to me.
Anyone internet savvy enough to sign up with a site should know that there are
( usually minor) risks involved, for the very reason that you mention.. many sites.
And with LT, it risk is indeed small, imo.
3> I thought that the idea was good enough it didn't need a second, but since you asked, yes it's a good idea.
This group does not accept members.
This topic is not marked as primarily about any work, author or other topic.