Privacy and password security

So, as I'm sure you're all aware, the Privacy and Electronic Communications Regulations (PECR) deadline passed a few weeks ago (on the 26th May), meaning that sites across the UK (and Europe) should be getting some form of consent for the setting of cookies. We can argue the Earth about this legislation being entirely pointless and detrimental to the end user experience without protecting any privacy at all, and this becomes even more apparent in light of the recent password leaks from sites such as LinkedIn, eHarmony and Last.fm.

The point is that cookies are harmless. Yes the likes of Google, Facebook, ad networks, etc have been tracking usage across sites for years and yes that means they can target things at you based on whatever you've been looking at, but anyone that cares about that has had the facility to block and delete cookies for as long as browsers have existed. And the PECR guidelines do nothing to help users find these particular controls, and the last minute amendment to allow implied consent negates any last ounce of credibility this law may have had by allowing cookies to be set before the user is asked, even if this does make the technical implementation easier.

Compare the above to password leaks. This is where people are really at risk because lets face it, passwords are flawed. How many people really use a password manager? Whether that's an electronic password manager or simply writing passwords down next to the PC, not many people do either of these (and the latter still isn't a great idea). So as much as we bang on about people using secure passwords and never using the same password twice, almost everyone does it. Can you really say you don't?

So on that basis, we have to be able to put trust in the storage of that data. You'll hopefully be glad to know that the passwords of users on all Yetti sites are salted and hashed with Whirlpool. We're also pretty confident in our mitigation of SQL injection vulnerabilities (prepared queries anyone?) so what I'd really like to know is why sites such as LinkedIn fail to implement such measures.

These things should be bread and butter. Admittedly there's no particular (manageable) way to legislate. Clearly even PCI-DSS doesn't necessarily help. But the European Parliament and UK's ICO should still stop wasting time on the likes of PECR when there are far more pressing problems.