Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
Log in  ::  Register  ::  Not logged in

Should we outsource identity management

By Steve Jones,

One of the first things many people build when they're developing an application these days on the web is a login/identity system for their users. This allows them to identify people, customize the features and functions, and separate out the different classes of users from each other. However many developers don't really understand good, secure design, much less encryption, and end up "storing passwords hair kari in unsecured databases", a quote from this piece on password security.

I'd hope that most developers know that passwords should be stored in a digest (one-way hash) form, but that's like assuming most developers understand the issues with SQL Injection. It's not true, and not necessarily going to be true until, well, it's not likely to ever be true. Even if we had minimum standards, there are plenty of developers that would ignore them and plow forward with the arrogance that their custom method is better implemented, and more secure, than any standard.

Passwords and password security are hard. I'd hope that most people would be looking to move to passphrases instead of passwords, but I don't see the recommendations being widely disseminated in the world. I recently rebuilt a computer, requiring my kids to implement new credentials, and my recommendation was a simple phrase they can remember with a number. I was hoping it would serve the dual purpose of instilling good security habits as well as improving their typing skills. We'll see if it helps.

With large rainbow tables, creative social engineering, and poor application security, it's even more important now that we use passphrases, and even develop better identity frameworks for applications. Personally I liked the Passport system Microsoft had, and I like the OAuth system even better. Perhaps we can get more of these frameworks implemented in reference applications and frameworks, as a default way of managing identity systems.

That's the easy part; convincing developers they can't manage identity better is probably the hard part and I would love to see some good ideas for that.

Steve Jones

Total article views: 65 | Views in the last 30 days: 1
Related Articles


Storing passwords securely


Create security for an application.

How create security for an application ?


How Safe are Your Passwords?

How safe are your SQL passwords? Use these free tools to find out how secure your passwords are and ...


What is the best way to Secure Production Data from Developers SQL2000

Secure Production Data from Developers


Write Better Code

Better security can be achieved by writing better code. Steve Jones agrees, but doesn't think it's a...

database weekly    

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones