I go, my colleague uses plaintext to store password!!!

Time:2020-5-16

Oh My God!

Recently, when checking the code, I found that the logics of a system login directly query the database with plaintext, and then the stack leader looked at the following database table. It was plaintext storage. I can’t believe it…

Briefly introduced, this is an internal system of an enterprise. For several function points, the whole system is completed by a developer who has graduated for about two years. It is still a primary development.

Why should passwords be stored in plaintext? Although it is just a small internal system, it is also a non-compliance and a very serious security risk. I went to the developers of this system to understand the situation.

Stacker: why does the system use clear text to store user passwords?
Development: This is a small internal system, only a few people are using it. It should not be encrypted
Stack leader: the system is regardless of size. All sensitive information needs to be encrypted, not to mention the password. Please modify it as soon as possible
Developer: OK, my pot

Although the developers are aware of their own mistakes, it is difficult to use encryption. I let them directly refer to the encryption logic of other systems.

This is really a serious and low-level security problem. Of course, the test also has responsibilities. There is no data check, but more importantly, the development does not have this security awareness. Once an accident occurs, he cannot be dismissed or prosecuted at all.

Although low-level, before some Internet companies have also exposed plaintext storage led to a large number of users and password leakage accidents, then, how can we store it safely? Generally, there are several schemes as follows:

  • MD5 (not recommended, not safe)
  • AES (not recommended, the key is not easy to save and can be decrypted)
  • 3DES (not recommended, the key is not easy to save and can be decrypted)
  • SHA1 (not recommended, unsafe)
  • SHA256
  • SHA512
  • PBKDF2
  • bcrypt
  • scrypt

It is clear that what scheme to use encryption is clear. Before the stack length, a very detailed answer to various encryption algorithms was shared. You can see it, or pay attention to the official account: Java technology stack, and reply to the algorithm in the background to get this article.

Through this matter, the stack manager really realized that the level of developers in the software industry is really uneven now. I’ve seen all kinds of shit code.

I go, my colleague uses plaintext to store password!!!

In order to survive and save costs, enterprises need to recruit some junior developers. However, some developers really don’t think about things, have no requirements for their own code, and have no consciousness of pursuing code perfection

Of course, I can understand that every day a lot of crud business requirements will make developers trapped in it. How can we do code optimization and thinking? To be honest, few companies can get off work on time.

Even so, it can’t be a reason to write bad code, to write bug and not to improve yourself. It all depends on people, whether they want to do things well, whether they want to improve themselves, and whether they have requirements for themselves.

From the bottom of my heart, I hope you all have some requirements for yourself, so that you can achieve a better self. Don’t be the object of criticism in the eyes of your colleagues. Since ancient times, the strict mixing will not be too bad. Let’s go together, Sao nians!

Finally, what encryption method does your company use? Welcome to share~

Official account official account official account of WeChat Java technology stack, the stack length will continue to share the fun of Java technology. The public number is pushed back for the first time, and the public address is back to back: Java, which can get history Java tutorial, all dry cargo.

Recommend to my blog to read more:

1. Java JVM, collection, multithreading, new features series tutorial

2. Spring MVC, spring boot, spring cloud series tutorials

3.Maven Git, eclipse, IntelliJ idea series tools tutorial

4. Latest interview questions of Java, backend, architecture, Alibaba and other large factories

Life is beautiful. See you tomorrow