It's a radio station. I would never expect a web developer to do 'everything within their control' to secure it. Not even banks do that.
Honestly, what are you worried about? So they have your plaintext password. You didn't reuse it for any other service, right? So what use is it to anybody other than logging into your Pandora account and fucking with your stations? (And why the hell would anyone do that?)
Of course it's easy. You won't necessarily do it right, but you can sure get a crappy version working quickly.
Assuming every web developer implemented a crappy password hash and then checked off the 'security' box on their compliance form. Are users more secure? No, because they didn't consider exactly how secure it needed to be.
Are you using a sha1 hash? Great. Is it salted? Oh shit, forgot that, let's salt it. Ok, now I just cracked it. Oh shit, let's use pbkdf2. Uh oh, it's cpu expensive and not very strong, let's use bcrypt. Shit, it's easy to crack with a big FPGA array, let's use scrypt. Shit, now it can be used for replay attacks, let's add a MAC. Password hashing is easy, right?
Europeans have chip-and-pin credit/debit cards. Are they more secure than Americans without chips in the cards? Yes. They probably feel they're more secure. Yet it's been known for a decade that you can intercept the communication, and millions of dollars/euros have been lost because customers and companies believed in the blind faith of their perceived security.
"oh, i have an anti-virus, i'm secure now."
"oh, i have a vpn, i'm secure now."
"oh, i have tls, i'm secure now."
"oh, i have a password hash, i'm secure now."
I'm not saying you should not apply strong password hashes. I'm saying there is a time and a place to be outraged about a lack of security practices. If you knew how incredibly, horribly, terribly insecure the world around you is, the world that matters, you wouldn't care about your Pandora password either.
When password reuse is common (that is to say, in the real world) it is always the time and place for password security. Sure, you and I know that we should have different passwords for every one of the hundreds of websites we've ever visited and that they should each be as strong as the potential damages of each website warrants and that we should change them on a relatively regular basis. And we are supergood about this and never slip.
Except, oh wait, even people on HN don't always follow best practices because they can be fucking hard sometimes. And that's before we get into the support email I got from a 90-year old user that consisted entirely of the subject line "WHAT IS PASSWORD".
I will guarantee you that somebody with access to every Pandora user's username and password will be able to access multiple bank accounts (or worse) within a short time period even though Pandora itself is a key example of a minimum-damages service.
Your argument, then, is that Pandora should apply password hashing to keep people from being compromised elsewhere? Assuming they only had two online accounts this might make sense. Assuming every single one of their accounts, all the same credentials, had perfectly implemented password hashing, this might make sense.
But that is bullshit and we both know it.
There will always be a bad implementation, or a mistake, or an insider, or a man in the middle. If all their 100 accounts are the same creds, it only takes one time and they're fucked.
It is completely impossible to have perfect security on all these accounts. It is inevitable that one will get cracked. At that point, blaming anyone but the user is lunacy.
> Assuming every single one of their accounts, all the same credentials, had perfectly implemented password hashing, this might make sense.
It is Pandora's ethical duty to do their part. And it is the ethical duty of other sites to do their part.
It is the user's duty to do their part.
Any one of these parties slacking does not excuse slacking on the part of others.
This is not a perfect world. We all know there are people who use the same password everywhere. Since we know that, it is our responsibility to do our part.
That's an excellent point. Pandora should just publish their user/pass database and it will the user's own fault if they've reused their password ever.
But, seriously, whether they should be or not the fact is Pandora is hosting sensitive information and they need to act like it. They shouldn't need to lock it down like Fort Knox, sure, but password hashing is considered a bare minimum these days.
