Comment If it's hard to test (Score 1) 169
you didn't write it correctly. TDD.
The first thing I learned about storing passwords is that you use a salted hash, which is impossible to decrypt back into plaintext. Am I missing something, or is this practice not standard practically everywhere now?
Apparently you are missing something because while common practice, it's not ubiquitous. And like all common practices, it gets spoken of less and less until new developers reinvent the wheel and decide they want passwords in plain text to make password recovery 'easier' ("click on the http link in your email and you'll see your password!")
It's been many years since I've seen that done anywhere.
DECRYPTING PASSWORDS
To decrypt the password of a user, the attacker has first to have access to the password storage. At which point the first and most critical security failure has already occurred. And the user had nothing to do with it.
When it comes to decrypting a password, the algorithm used is a more important than the complexity of the password. If the service provider has not done his home work, complex passwords offer only little protection. [...] I want to point out, that the safety of the encrypted password is not the responsibility of the user.
The first thing I learned about storing passwords is that you use a salted hash, which is impossible to decrypt back into plaintext. Am I missing something, or is this practice not standard practically everywhere now?
The users are the product, not the customer.
Not necessarily. Adblock Plus 2.6.4 (for firefox) blocks all of slashdot's ads.
Does that make you not-a-product? Something special above other users?
Nope.
Dealing With an Unresponsive Manufacturer Who Doesn't Fix Bugs?
Dunno, it's a good question. But I'm sure that someone at slashdot can answer it with the same reasoning that they' use to still be apparently trying to roll out the beta design, despite the fact that some of it's own users (customers???) have in their sig, "FUCK BETA".
The users are the product, not the customer.
As a matter of fact, does anyone know why Steam does not prominently feature Metacritic ratings anymore? Those really helped me choose games that I wanted...
Maybe because games are given very high ratings that completely ignore the PC, even when these ratings are supposed to be for the PC versions?
I don't know about you, but when I see a AAA PC game also has a console version, I just stop right there and don't buy it, no matter what the ratings are.
I think the test-driven advocates would say that relying on the compiler is OK for that one particular kind of error, but you really should be writing tests to catch that kind of error along with many others.
The reality is probably, as you kind of imply, sometimes you have a task that is more suited to one approach or another.
The nature of testing is that complete coverage grows combinatorially with state. What you're saying is you don't want to eliminate the possibility of an entire class of errors, but rather rest this (rather significant) burden on testing. From my point of view that's like abandoning DRI in a database and saying tests can detect foreign key constraint violations and all the other things DRI can check. While technically true, it just doesn't make any practical sense.
Enzymes are things invented by biologists that explain things which otherwise require harder thinking. -- Jerome Lettvin
