Timeline for Storing plaintext passwords for detecting fraud
Current License: CC BY-SA 3.0
9 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Aug 7, 2012 at 6:36 | history | edited | inquam | CC BY-SA 3.0 | added 1723 characters in body |
| Aug 3, 2012 at 18:01 | comment | added | nohat | @Ramhound, calling everyone idiots sure is a really compelling argument. "Ramhound from programmers.stackexchange.com says we're all idiots for considering this, so I guess we should go back to the drawing board." That'll really convince management. | |
| Aug 3, 2012 at 12:45 | comment | added | Ramhound | @inquam - Anyone that implements this idea is an idiot. There is NO WAY around that fact. If you do not hash your user's passwords in the most secure way possible you are an idiot. Besides this idea is NOT going to stop fraud. Anyone who would listen to this fraud detection consultancy company seems like they are filled with either idiots or is simply a scam. | |
| Aug 1, 2012 at 20:21 | comment | added | DaveE | @inquam "rigorous internal security plan"? Try "No ... plan survives first contact with the enemy". | |
| Jul 31, 2012 at 18:10 | comment | added | inquam | I'm not saying plain text is great. But IF this is what the person asking the question wishes to do, then it has to be done as securely as possible. Then I don't know, he might be the only person working with the application in question and trusting other people isn't an issue. I myself has NEVER stored passwords as plain text but have instead used advanced algorithms to try to link accounts together with combinations of behaviour and account information. But that's a WAY harder approach :). Worked fine for large banks and online gaming anti-fraud use though. | |
| Jul 31, 2012 at 16:17 | comment | added | Ramhound | @inquam - No matter how much security there is, if the passwords are not hashed, they will be leaked. I have to down vote this answer for even trying to suggest storing passwords as plaintext. If a single person can access the user's passwords then its a security risk not worth having. | |
| Jul 31, 2012 at 8:12 | comment | added | inquam | There should of course be a rigorous internal security plan in place for this. But the hardest thing to protect against is the own employees, this is true. But if they work there they could probably gain access to user accounts, create back doors etc just as easy. A isolated server, with access only to a single user in a locked room etc. could add enough security. If only one person has access and security is upheld, only one person has to be trusted. But someone must indeed be trusted. When we have had other sensitive material we have had security check points and surveillance all over :) | |
| Jul 31, 2012 at 8:08 | comment | added | Martijn Pieters | And then the old, old backup of that internal server is leaked, and a load of plain-text passwords that haven't been changed by their users in eons is out in the open. Not a good idea still. | |
| Jul 31, 2012 at 8:06 | history | answered | inquam | CC BY-SA 3.0 |