Is it just me, or when you set a password on a site, it is very distressing to be told that your password has a maximum length? And then even more distressing when you can retrieve your password, in plaintext, from said site?
Unfortunately, UCAS, which handles all the applications to universities in the UK operates this kind of password policy. I am shocked and appalled at this, that they are storing my password in plaintext in their database, and not using a hashing algorithm of some description (for instance MD5). It's not even difficult to do so, in PHP, all you need do is use the md5() function. In the end, it may even make your database faster, as the password hash of MD5 is always 32 characters, and so the field it is stored in can be a fixed length field, making for faster lookups.
So please UCAS, wake up and smell the security leak, before it's too late. You're gambling with young peoples futures here.
Comments
There are no comments for this entry at the moment.