My app doesn’t need secure passwords
Users need to log in, but they can’t really do anything dangerous using your platform. Everything has to be vetted by account managers — and there is no personal information accessible, so I can just store plain text passwords.
It’s so much easier this way.
It is — until your platform is exposed and your users are serving legal documents claiming losses.
Why should passwords be secure?
If you have been on the Internet for more than ten-minutes — you know that you should use a different password for every platform. There are an abundance of solutions to help you in this noble effort from LastPass to Enpass.
As the I.T. professional you are, all your passwords are unique— but many, many users are not. Some make an effort across a few sites and others at least keep banking and email passwords seperate.
As a provider — you have no idea what your users do, and you can’t enforce anything. You know this, they know this — and the courts know this.
The responsibility lays with you, the platform provider, to ensure that passwords are secure and can’t be exposed.
What are the risks?
Hackers have a heap of options open to them once they get access to your user data. Name, email addresses, physical location — and password. Is the address @gmail.com? Great, try the password there!
Beyond the elementary — the known password for your platform could be used as a seed to a password generator. Giving insight into the formatting this particular user applies to their passwords. Is it a word, then two numbers and some sort of punctuation? Great, no more need to guess random strings!
Your entire platform is now exposed. Sure, your user data has already leaked — but now somebody can log in to your platform as every user in that list.
How should a password be stored?
Seriously, there are a heap of great sites with an abundance of information — from recommended ways to encrypt data, to the use of salts.
I will tell you what not to do with passwords though:
Never in plain text; and
Never in an email.