Friday, June 08, 2012

LinkedIn, eHarmony, and Last.FM hacked - How to not be the next victim

If you have been following the news lately, you know that business social media giant LinkedIn, the popular dating site eHarmony, and the used-to-be-popular-before-the-merger music site Last.FM were hacked and part or all of their databases were stolen and passwords cracked. This is what happens if you are a beginning programmer who writes a login system. These sites were mentioned in the news because they are larger data breaches, but there are thousands of compromised sites every day that you don't hear about.

Don't be next. Instead of authoring a login system, you should be using a product written by someone who has spent the time researching industry best-practices and carefully and painstakingly crafted each aspect of a modern login system.

http://barebonescms.com/documentation/sso/

That is an enterprise-grade, Single Sign-On system (written in PHP, but the client is portable to other languages). I'd mention other products but, as of the time of this writing, they simply don't exist. That's right, other than the above piece of software, no one to date has developed a solid self-hosted login system that other people can use in their software applications. I scoured Google, SourceForge, Google Code, and GitHub before and after developing this product and came up empty-handed. There are some libraries (OpenID, OAuth, and HybridAuth) but they effectively require writing a login system - again, nothing prepackaged. There are also cheesy little scripts here and there and everywhere but they are all badly broken security-wise - written by newbie programmers, not industry veterans and therefore is code you shouldn't even touch.

We've been doing dynamic website development for what? Fifteen years? So, roughly 15 years of web development have passed and there is absolutely NOTHING, NADA, ZIP, ZILCH filling this remarkably vacant space. Surprised? I'm not - because writing a login system is a "rite of passage" (or something like that) for each web programmer out there. This practice needs to stop right now because it is the source of the problem. The security breaches of the last couple years should be a massive wake-up call for the entire industry to put together legitimate solutions to this serious security problem. I've got the first and currently only product and that's just...so incredibly pathetic.

Writing a login system is a fine exercise for a programmer, but don't use it in a production environment - there is a VERY good chance you will miss something critical. A login system is generally a website's primary security mechanism. If it is flawed, then there are serious problems with the entire website. Leave writing login systems to those who know what they are doing and use prepackaged solutions wherever possible. And by "wherever possible", I mean "everywhere".

No comments:

Post a Comment