Sigh.
I get that it's a prioritization issue. I've worked at places where legacy software had poor security practices and it's often a judgment call as to the risk of just letting it be vs. taking the time to rewrite whatever insecure portion remained. Often the decision is to leave it when it's a one-off project that will be shut down within a month, there is a limited attack surface involved, and the data being stored insecurely is very low value. On the other hand, security issues affecting the very core of a website (the login system that 100% of a company's revenue depends on) should get addressed as soon as the vulnerability is discovered. Additionally, they state that a server was compromised... it's not clear whether this was a SQL injection exploit that happened to display the users table remotely with no privilege escalation, or whether the server was compromised via a poorly chosen SSH password or similar and they may be dealing with a situation where rogue code is still living on one or more servers.
Salting prevents effective use of rainbow tables. It does not protect against brute force attacks, which are now incredibly cheap.
Individually salting passwords was best practice internet eons ago, not now.
Best practice is to use a work-adjustable scheme such as provided by bcrypt.
I would also recommend that they use this opporunity to teach their web developing users about proper password storage, but after reading their php hashing tutorial[1], I think it's best if their users look elsewhere. The tutorial eventually recommends bcrypt after listing multiple unsafe solutions. I understand that the author is trying to build up to the solution, but the correct solution needs to be in the first paragraph. The incorrect solutions need to be clearly flagged so a beginner skimming through doesn't see "md5" and stop.
[1] http://net.tutsplus.com/tutorials/php/understanding-hash-fun...
Users have to have some level of trust. Like everything else in life.
There is no real disadvantage to saying which one and a lot of trust to regain.
How is it not? There is NO excuse for storing passwords in plaintext, on any production site. From what I've read, they had this system in place for a while, and planned "to get around to" switching to a more secure password storage method eventually.
Sadly, it looks like a massive security breach was the catalyst they needed to realize that you can't put issues like user password security on the backburner.
Now, we get the same reactive "we're sorry, we should have known better" from the tuts+ leadership, and a promise that things will be better in the future. Why does it always take a humiliating security breach for companies like this to realize just how important user security, and by extension, your users' trust, really is?
We already know they didn't write it, but we don't have enough other information to make any other judgements (and the blog post at least implies the above may have happened).
In the previous blog post:
> Our current Tuts+ Premium app makes use of a third party plugin that unfortunately stores passwords in cleartext (i.e. unencrypted).
The previous post sounded like they were too lazy to change the authentication system to a more secure one. But they now said they had a "heavily modified system".
> I’d like to take a moment to be clear that this wasn’t a failure of, or a reflection of, the professionalism and integrity of our development or Tuts+ teams.
I think any capable developer should find it easier to add BCrypt into the password field than the heavy modifications. Once they are familiar enough with the plugin (for heavy modifications), it shouldn't take more than a day to make it secure.
Not saying it's right for them to not take security as serious as they should have, but unlike a lot of other companies, they disclosed it immediately, came up with a game plan, apologized multiple times and are refunding users and offering others free stuff.
I've changed my password on the other envato services I use as a just in case and I still plan on using them in the future. They've always put together great and in-depth tutorials and are a great resource for beginners, hackers and experts.
