My app doesn’t need secure passwords

Users need to log in, but they can’t really do anything dangerous using your platform. Everything has to be vetted by account managers — and there is no personal information accessible, so I can just store plain text passwords.

It’s so much easier this way.

It is — until your platform is exposed and your users are serving legal documents claiming losses.

Why should passwords be secure?

If you have been on the Internet for more than ten-minutes — you know that you should use a different password for every platform. There are an abundance of solutions to help you in this noble effort from LastPass to Enpass.

Generating a secure password on LastPass

As the I.T. professional you are, all your passwords are unique— but many, many users are not. Some make an effort across a few sites and others at least keep banking and email passwords seperate.

As a provider — you have no idea what your users do, and you can’t enforce anything. You know this, they know this — and the courts know this.

The responsibility lays with you, the platform provider, to ensure that passwords are secure and can’t be exposed.

What are the risks?

Hackers have a heap of options open to them once they get access to your user data. Name, email addresses, physical location — and password. Is the address Great, try the password there!

Beyond the elementary — the known password for your platform could be used as a seed to a password generator. Giving insight into the formatting this particular user applies to their passwords. Is it a word, then two numbers and some sort of punctuation? Great, no more need to guess random strings!

Your entire platform is now exposed. Sure, your user data has already leaked — but now somebody can log in to your platform as every user in that list.

How should a password be stored?

Search Google.

Seriously, there are a heap of great sites with an abundance of information — from recommended ways to encrypt data, to the use of salts.

I will tell you what not to do with passwords though:

Never in plain text; and
Never in an email.