Whenever someone posts an article here about some exploit relating to a startup, or that it turns out they were never doing anything but storing passwords in plaintext, you'll get a small army of posters pointing out that it would be insane for them to focus on anything besides getting the product out the door working just well enough to start taking people's money as fast as possible.
So yeah, "fuck it, ship it" seems to be more or less the standard.
hey man - I'm putting together an unfunded product on the side by myself, and my passwords are using scrypt, and they have a salt, and the salt is per-user, and the system rejects weak passwords based on popular entries, bad entropy, and easy guessability. It honestly wasn't more than 8 hours of foolery to get all that working. Is it ready for the credit card industry? no. But it's going to stop derps who get their hands on the DB.
Yeah but you didn't learn everything you know from poorly written PHP tutorial websites and W3Schools. The words "Key-Derivation Function" are nowhere to be found in the lexicon of these people.
Consider that you are just practicing cargo-cult security though. You just piled a bunch of password security recommendations parroted all over the Internet to the detriment of your users.
If you are using scrypt with a reasonable difficulty and a per-user salt, there is no reason to put the entropy restrictions, weak password restrictions, etc on your end-users. It is painful to interact with sites that enforce ridiculous password requirements.
You can get away with a 4 character password on Netflix. There is a reason for that. Security is much more subtle that password complexity.
> Consider that you are just practicing cargo-cult security though.
No, I really am not. But as I didn't describe my reasons, you don't have the context to understand them.
Frankly, if Netflix has 4-character passwords, I would expect it to be relatively easy to compromise their accounts live with a carefully put together campaign. If Netflix gets their username/pw database dumped, I expect we'll see their policy change as the passwords are trivially cracked.
Not only that, putting together a safe & sane password retry system isn't the easiest thing every, and doing careful fraud detection based on geolocation/ip etc isn't the easist thing ever either. Particularly when I don't have someone working full-time on security.
Further, what you also didn't know is that the password strength functions as written have knobs I can adjust if things are too onerous.
So having harder passwords goes a long way towards 'better security' on the account side for little effort.
I would advise you to be more cautious about making unsubstantiated statements based on ignorance in the future.
You piqued my curiosity, so I went looking. According to Know Your Meme, that most prestigious and reliable of sources, "derp" originated from Trey Parker and Matt Stone. First it was in a movie (where they were sniffing underwear), and then in South Park. Now, having not seen the episode, I can't really comment on its contents, but I assume that the character that first used the term in South Park was either simply stupid, or suffered from some form of disability. Either way, the term has since devolved into making fun of stupid people - which I believe the grandparent was also doing.
I would argue that first startup needs to spend the extra time or hire another developer if the end result otherwise is something as egregious as what QuizUp appears to be doing.
But I agree, there's a huge difference between just not being able to implement security and not considering it relevant. To me, this is clearly a sign of the latter.
People don't realize how easy it is to see the secret API's behind their mobile apps. There's no obvious view-source on my phone and a lot of devs lack a full picture of how all the pieces fit together.
So yeah, "fuck it, ship it" seems to be more or less the standard.