|
|
|
|
|
|
by Karunamon
2992 days ago
|
|
|
Ehh... how many instances of unsanitized input leading to RCE were due to the subtleties of the interpreter, and how many are the result of people blithely passing user input into the interpreter, not using the sanitation functions available in most mainstream languages (in many cases, in the standard library)? If getting people to do this is impossible, so is getting people to stop storing passwords in plaintext. |
|
|
This may very well be the case, though. You may get most people to know that storing passwords in plaintext is not a great idea (tm), but there will always be people ignoring that, be it due to downright ignorance or external factors.
I can envision some non-technical person in an organisation prescribing to IT that a new user password cannot look like one of the user's old passwords, where "look like" actually means something like an edit distance of <=2. Since the secure way of implementing this is looping over all possible passwords close to the one the user entered now, hashing them all and comparing them to a list of past hashes (which is quite resource-intensive, which costs mony), I bet there will be people that will give in and just store the last few passwords in plaintext. Maybe they'll encrypt them, but they'll be there.