By now you’re probably aware that I think PHP koderz (who often way too generously refer to themselves as “developers”) are among my least favorite of the lower primates. Here’s an example of why that is:
One of my clients uses a shopping cart that’s pretty darn popular, but that shall remain unnamed here. They hate the thing, and since another of my clients is designing a new web site for them I’m writing them a new, custom shopping cart that will suck less. Along the way, they want to import all of their existing customer profiles into the new cart from the old one, which means I have to know the encryption algorithm used to store passwords in the old cart. It’s the first time I’ve had reason to concern myself with the passwords in the old, pretty darn popular shopping cart. When I looked into the database table that contains the user names and passwords, my first reaction was
OH FUCK NO THEY DIDN’T!
But yes, they did. They used a cryptographic hashing algorithm that has been considered totally inadequate since the mid-1990’s. I was a member of the winning team in the competition to crack the thing way back when, in 1996 or so. I snagged three password hashes out of the shopping cart’s database, and plugged them into crackstation.net which gave me the plain text of two of them.
Grrr. Nothing makes me angry in quite the same way as a dolt who plays fast and loose with other people’s sensitive information only because said dolt doesn’t know any better. My client has already had trouble with that shopping cart — there’s a contract spammer in The Philippines who targets that cart specifically because it will gladly gateway his spam via the “email this page to a friend” feature which no site anywhere on the web should still have in the 21st century. Spammers abuse the hell out of them. The shopping cart vendor’s fix is so half-assed that as soon as that contract spammer reads their support forum he’ll know precisely how to work around it. At least anyone whose cart is abused in that way can find my bulletproof fix there and not be at the mercy of an incompetent vendor and a contract spammer who takes advantage of the vendor’s incompetence.
Now I get to crack all of the passwords I can in the existing database so I can convert them to new hashes using a hell-for-strong algorithm that’s more adequate for 2014. I probably won’t get all of them so will have to finish the job by writing code that will authenticate against the old weak shit and then update the stored passwords to the new, and later go through to just blow away the weak shit if those users don’t come back around. My client will probably hate that I’m going to blow away customer accounts. They’re already downgrading my password security requirements, which torques my nads, but I’m implementing brute force attack evasion so it’d be one wicked lucky cracker who could break in that way. And the algorithm I’m using is tough enough that even if someone like the NSA got hold of the database it’d take them a long, long time to get anything out of it.
Paranoia is the most important part of my job description. 😀