SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Should we outsource identity management

By Steve Jones,

One of the first things many people build when they're developing an application these days on the web is a login/identity system for their users. This allows them to identify people, customize the features and functions, and separate out the different classes of users from each other. However many developers don't really understand good, secure design, much less encryption, and end up "storing passwords hair kari in unsecured databases", a quote from this piece on password security.

I'd hope that most developers know that passwords should be stored in a digest (one-way hash) form, but that's like assuming most developers understand the issues with SQL Injection. It's not true, and not necessarily going to be true until, well, it's not likely to ever be true. Even if we had minimum standards, there are plenty of developers that would ignore them and plow forward with the arrogance that their custom method is better implemented, and more secure, than any standard.

Passwords and password security are hard. I'd hope that most people would be looking to move to passphrases instead of passwords, but I don't see the recommendations being widely disseminated in the world. I recently rebuilt a computer, requiring my kids to implement new credentials, and my recommendation was a simple phrase they can remember with a number. I was hoping it would serve the dual purpose of instilling good security habits as well as improving their typing skills. We'll see if it helps.

With large rainbow tables, creative social engineering, and poor application security, it's even more important now that we use passphrases, and even develop better identity frameworks for applications. Personally I liked the Passport system Microsoft had, and I like the OAuth system even better. Perhaps we can get more of these frameworks implemented in reference applications and frameworks, as a default way of managing identity systems.

That's the easy part; convincing developers they can't manage identity better is probably the hard part and I would love to see some good ideas for that.

Steve Jones

Total article views: 67 | Views in the last 30 days: 1
Related Articles


Storing passwords securely


Why Devops? For Better Security

DevOps is supposed to help us build better software, faster. Steve Jones looks at one of the other b...


We Really Need Better Security

Some disturbing security issues reported this week.


Create security for an application.

How create security for an application ?


How Safe are Your Passwords?

How safe are your SQL passwords? Use these free tools to find out how secure your passwords are and ...

database weekly