I’ve always been interested in software security, and it’s always been a number one priority for me. Software security is really honoring the trust of the people that use your software. I’ve also been fortunate to be the lead developer of a security product. I myself also tend to keep an eye on the security of other products.
We use a few applications in house that we really like. I decided poke around at the security of some of these products. I won’t say any of the product names because they really are, good products sans some poor security. If I find a security bug in a piece of software, I will report it to support or the development team. I feel like I’ve done all that I can, and I’ll leave it to them to fix it.
Though the one thing that there really is no excuse for is storing a password in clear text. While doing my digging, I found that two products we use stored passwords in clear text. One of them was attempting to hash a login password using String.GetHashCode, which isn’t a good idea, but much better than a clear text. However, this product also stored some other passwords in clear text. They needed to be two way, so a hash wouldn’t work; rather a symmetric encryption would be better off. The other system just used clear text for all passwords. This is really just neglecting security, it’s not even a bug. It’s just not caring.
It’s not too hard to encrypt data in .NET, it’s pretty easy and there are a lot of tutorials on it, and there are a few usergroups around that talk about it as well, too.
Seeing this makes me think a couple of things. The first being, are my standards too high? I don’t think so honestly. I don’t see any reason for storing a password in plain text other than reducing developer effort. The second thing is, how common is this? If two applications that we use have this issue, should I lose trust in all of the applications I use? It’s not a comfortable thought; knowing that some software abuse the trust that we give them. The third thing is, I know one of these products is extremely popular. I’m surprised no one has caught this before. Am I really the only one that tinkers around with other software’s security?