I wish to call "storing your password in plain text inside a Database" a poor pratice... but our customer did this in the Application. They need me to resume that Application.

My point: I wish to change this...but as it is not an excuse for our Customer it's still unclear.

How can you handle such issues regarding security? From the perspective it is not easy to describe such issues to Clients.

I believe "bad practice" is definitely an understatement. "Irresponsible" is much more accurate.

Whether it's worth to safeguard it having a password, it's worth doing the work correctly. Storing passwords in plain text is definitely an embarrassing security breach waiting to occur.

If "security" is any place in your clients wishes (that we guess it's, since you will find passwords), they have unconditionally requested a good home security system, including proper handling of passwords. They might not request for "passwords being saved safely" (hashed and salted) because they are not professionals that is what they hired you for.

Write a brief, obvious and jargon-free formal letter stating your concerns and concluding that inside your professional opinion, it ought to be fixed. Address it to a person reasonably up high within the customer.

When they then decide to ignore your advice, that's their prerogative.

(Have a copy from the letter yourself, too.)

If you're able to, an active demonstration is effective. Request the consumer to produce a free account having a password (not the password they normally use). Enter in the database and retrieve, and explain that anybody who can access your database (either by permission, or using a security breach) can easily proceed and do that.

The very best reason never to keep password in plain text is really a legitimate one.

You will find laws and regulations, like the Data Protection Act within the United kingdom, which condition that reasonable efforts should be designed to keep sensitive data secure. Storing passwords in plain-text will clearly violate this, and as a result potentially null any indemnity insurance you've in case of a breach of security. This may make you available to a sizable liability suit if you do not take this straightforward measure.

If this involves business males, a person always has to speak when it comes to their pockets, and proclaiming that an hrs try to hash the passwords, and alter the login will definitely cost them a small amount in comparison towards the potential cost if something went badly wrong.

It might be also worth observing, when someone has developed a system as essentially problematic because this, the probability of there becoming an error which could expose sensitive data such as this is tremendously greater.

On the top of the, as others mentioned, an active demonstration is nice. have a random staff people password from the database, and try the fit their others, you will not need to try many before your in.