In the first part of my review on Advertlets, I used the words lazy, amateurish and shoddy work to describe the design, bugs and quality of work that I found in their system. I was challenged to it but it was answered by these comments (here, here and here).
I received an explanation from Firdauz (from Advertlets) which was supposed to ‘cover-up’ all the laziness, amateurish, shoddy work and maybe even possible password vulnerability that I found.
What’s assumed as laziness and amateurish was in fact; our best decision at that particular time.
Even up till this point in time, they have never stated that the users’ passwords in their system IS ENCRYPTED. They mentioned how their system was capable of warding off “SQL injection, brute force attacks, URL guessing, and social engineering” and that their system is “indeed secure, and we can vouch for the protection of your data and password“.
However, the question to be answered is, “Are the users’ passwords encrypted?” It doesn’t matter if their system is 100% “unhackable” from the outside, encrypting the users’ passwords are considered the fundamental practice in developing a system. The users’ passwords should NEVER be stored in plain text no matter how secure a system may seem to be — that’s the standard principle.
But you don’t let loose an application which fails one of the most basic principles, ie. password security.
You(r) best decision at the time should not have been this. To me, it sounded like you guys rushed it out the door so that you got something to show.
No – your best decision at the time should have been to put yourselves in the shoes of a user and whack the system as hard as you can.
One point that I missed out in my review is that they neglected one of the basic password security feature — setting a minimum password length. According to this and this, the minimum length of a password must be at least 6 or 7 characters to be considered as standard. Shorter passwords are considered WEAK and are more vulnerable.
However, I have tested and their system allows passwords as short as ONE character. I have one account’s password which is “a” and another account’s password which is “abc“. Let’s hope they did not neglect the most important security feature — encrypting the passwords.
If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization.
(Weinberg’s Second Law)
What do you think?