(no title)

> first example

everyone will freak out here because the password is therefore stored in plaintext (well not necessarily but maybe depending on the hashing scheme). the cringe here is that the most immediate reaction of the security junkie will be OMFG PLAINTEXT, rather than the more obvious "problem" that it just told you the password of another account

of course none of this matters since you could just brute force every account anyway since the password is short

> second example

this is not a bad guess at how to implement this feature. not everyone knows about gotchas like secure cookies, despite being 20 year old problem

passwords also shouldnt need to be "securely stored somewhere". and you shouldnt expect any web dev to get that right

in reality, the web should be encrypted/authenticated by default, and not using CA bloat. a public key should uniquely identify a website. dns shouldnt exist. if the web was for static documents like it was meant to be and without millions of unneeded complications like CSS, you could replace a http://longkeyblahblah with <Google>. yes, really, not even css should exist. something you use for banking should not be the same thing you use for looking at magazines and ads.

> But it's still a password in a cookie and it's still not HTTP only and they had reflected XSS risks on the site.

more web infosec pro dogma. just dont have XSS. of course thats too much to ask for web standards since they will just extend the grammar in some way that adds XSS to your existing XSS-free code, but whatever lets pretend mitigation is the most important thing in the world while anyone can just use your account without needing your password in 99% of attacks concering things that are mitigated with hashing, keeping passwords in "secure places", and

now everyones gonna reply to me saying "well the layperson...". it doesnt matter. all the things i talked about are things the user has to solve himself otherwise he will be hacked, no matter how many bandages and "best practices (TM)" you use.

tl;dr youre all stupid, your beliefs about security are WRONG, and your software has the same needlessly stupid shit, like apache commons absolutely critical vuln that exists for absolutely no reason, last week.

see, the problem here, is that for 15 years ive been saying "just do it right", and people have been "arguing" that it will take a year to fix all the current broken standards (like the web not having a proper way to do authentication, being vuln to CSRF by default, not providing safe ways to compose DOM, etc). instead, year after year you give yourself applause for implementing the latest password hashing algo and cargo cult like JSONP to work around fundamental problems that will never be fixed in the web that should have died in 2003. you think my post is toxic but really the fact that the 99%er webdev mocks people for not knowing about secure cookies or some other web workaround, makes the 99%er webdev toxic (and they spread their bad products around toxicly, to boot).