Why Are Websites So Careless With User Passwords?

It seems like every week I am hearing news of another website’s database of their user’s plain text or poorly hashed passwords being compromised and it makes my stomach turn every time. I don’t understand how modern websites can still be so careless with user passwords.

It is 2012 web development is an old enough profession now that there is a list of accepted best practises and “lessons learned”, especially around user data and security. Developers should be well aware of the dangers of the web and the fact that Apache, MySQL, PHP and most other technologies we use to power our web servers and websites can be exploited in ways we don’t anticipate.

I am shocked that so many sites aren’t doing something – anything – to protect user passwords and sensitive data. Applying some degree of security to user passwords is so easy to do in PHP (and I would imagine in any other language as well) that it should be mandatory for every web developer. Sure there is a small computational overhead to properly hashing and salting passwords before storing them but this should be seen as a cost of doing business online, just as paying to keep your servers up is. For most websites the computational cost won’t be noticeable.

I’ve heard a few developers who say that the concern around password breaches is as much the fault of a user for not using a secure password as it is for the developer who didn’t secure them properly. I partly agree with this statement. Yes, users should use a secure password, but the fact of the matter is that they don’t. No matter what we do or how nicely we ask them, the vast majority of our users will use crappy passwords which means we need to work twice as hard to secure the passwords for them.

In the end, it comes down to one simple fact. If your website’s data gets stolen, it is you who will have to admit to your users that you didn’t value their info enough to keep it secure, and it is you who will have to deal with the loss of trust from your users. Nobody needs that headache. Luckily the so solution is simple – implement some kind of data security measures now! Why are you still here reading this? If your user data is insecure bust out your favourite IDE and get to work!

Within the next few weeks, I’ll be publishing my simple solution to password security that I call “Three Layer Password Pie”. It is a system that is so simple to use that there is no reason for any web developer not to implement it into their website!