8 Lines of Code

I’ve been driving for about 20 years and I’m ashamed to say that I still have only a rudimentary knowledge of the internal workings of a car. I’ve compiled a mental list of important considerations, though — just the simple stuff that prevents real harm. For instance, I know that when jump-starting a car you should be careful to not touch the leads together. I know that you should tighten the lugs in a particular order when changing a tire and that you shouldn’t unscrew the radiator cap when steam is coming out.

In a similar fashion, and to my embarrassment, I still have only a rudimentary knowledge of encryption. In my 15 years of code development, here are some things that I’ve learned: if a company e-mails your password to you, they have no idea what they’re doing; MD5 hashes can be easily reversed, so they’re not to be used for authentication; and salts are important. Honestly, I frequently have to look up anything more than that. But that’s okay. Just as you don’t have to be a mechanic in order to drive a car, you can have a successful career developing websites without being a cryptologist.

The recent disassembly of the Gawker family of websites by a group calling themselves Gnosis highlights the frustrating reality of modern-day Web development: a small team in charge of even a modestly successful website can put millions of people’s personal information at risk with the careless coding of a few key algorithms. In part, lazy or unsophisticated users are also to blame for this – re-using the same password across multiple sites exposes the data not just on the compromised site, but potentially a multitude of sites.

In the age of Google and GitHub, there’s simply no excuse for rolling your own authentication schemes or being ignorant of basic truths of modern computing.

In prehistoric times (2005), I came across this bit of PHP code that I’ve made great use of. Here you go: eight lines of elegant security code. These simple lines can go a long way in securing your users from a broad-based attack.

private function generateHash($plainText, $salt = ""){
    if ($salt == ""){
        $salt = substr( md5(uniqid(rand(), true)), 0, 9);
    } else {
        $salt = substr($salt, 0, 9);
    }
    return $salt . sha1($salt . $plainText);
}

Consider it a starting point. For instance, I usually prefer to swap out SHA-1 for something like Whirlpool, but you get the idea. Somewhere out there is a similar ready-to-use routine for your chosen language that’s been created by experts and vetted by developers across the world. Consider this a challenge to go find it and use it.

The total investment in time and effort to integrate this into your site is probably on the order of one hour. I’ll give you 30 minutes to read the article, 20 minutes to make the code change, and 10 minutes to have a beer.