undefined | Better HN

0 pointscosmodisk5y ago0 comments

I thin theyve been big enough long enough to have a guy or two who could look at the functionality or even the codebase and say: ' hold on a minute,how on earth we are doing this'.

0 comments

3 comments · 1 top-level

nitrogen5y ago· 2 in thread

It's pretty freaking hard to convince a PM to care about security. For that matter it's pretty hard to convince most engineers, let alone companies, even after a hack. Imagine yourself talking to the general counsel after an elasticsearch db gets hacked about ethical obligations to make customers whole. Then imagine that GC saying literally "ethics? It's not like we're building bridges here".

ziddoap5y ago

If a website stores passwords in cleartext instead of hashes, would you have the same response?

This isn't fancy stuff. This doesn't require tens of thousands of dollars in code-audits or pentests to come to light. It's literally the absolute basics of password management. There should be no need to "convince a PM".

Rate limiting, not silently truncating passwords, not setting an extremely low and arbitrary maximum on password length... All of this stuff is as basic as hashing a password.

nitrogen5y ago

I'm saying I've been in exactly that position in many companies. Spent all of my social capital to get password hashes fixed, or a hacked DB audited, or circuit breakers, or rate limits, alerts, admin and monitoring tools, etc. It's really easy to preach here on HN. Saying it's an uphill battle "out there" is a drastic understatement.

1 more reply

j / k navigate · click thread line to collapse