Password Storage   4 comments

Jeff Atwood recently wrote a post to warn his coding brethren that they’re probably doing really bad things with user’s passwords. Reading the comment thread for that blog post convinced me that he’s 100% correct, they are. One commentator, Mats Helander, wrote a very good post about why storing passwords in plaintext ought to be illegal, from which I’m stealing this quote:

In my opinion, this is one of the very rare cases where I think the law should get involved, protecting the developer from having to compromise my security in order to keep his job. The developer should be able to say “No boss, that would be against the law”.

Why should it be illegal?

Because of the simple fact that users reuse their passwords between systems. And that, in combination with an increasingly online life, means that online impersonation is going to become a very serious concern.

… which is one of the points I was arguing in this thread.

If you are assigning an authentication pair (i.e., username/password) to a user, you have an obligation to protect that digital identity, both in your own database *and* in transit.

Advertisements

Posted September 19, 2007 by padraic2112 in security, software, web sites

4 responses to “Password Storage

Subscribe to comments with RSS.

  1. While I agree in principle that only digests should be stored in authentication databases, that has little bearing on password reuse. If I run an authenticated service, and I store a digest, then when the user authenticates, he presents his password in the clear. At that point, if the user uses the same password for something else, *I* can get into that something else, because I have the password. Oh, and the keylogger on the user’s system picked it up too.

    The only effective protection against reuse is training users not to do it. Some assistance can be provided in the form of *secure*, free, convenient password safe programs for cell phones, since the biggest complaint from users told not to reuse is that they can’t remember all those passwords.

  2. I agree that password reuse is on the whole a really bad thing. However, I’m also pretty much convinced that user education isn’t going to solve this problem for any reasonably large number of users.

    Given 5 users, I can probably solve lots of security problems with education. Given 10 users, I probably can’t -> at least one of them, probably more, simply won’t listen unless I have either an effective carrot or an effective stick. Given 50 users, even carrots and sticks probably aren’t enough; in a group of 50 human beings you’re going to get someone lazy enough or just naturally contrary enough to buck education. Unless you have the authority to eliminate them from the group, security processes which rely on education are going to fall apart at that point.

    Giving people a decent password safe *and* forcing them to use it (by randomly generating passwords significantly complex that they’ll more or less have to store them in the database) is a somewhat workable solution, as far as protecting your own resources.

    When it comes to low value resources (like, for example, someone’s free registration for a web site), they’re probably not going to follow such a procedure on their own (unless they’re already forced to do it for some organizational purpose)… so they’re going to reuse passwords. You’re right, the administrator of the site is a potential hazard here, but from a security trade-off position, most users (not really unreasonably) won’t be that stringent about maintaining unique passwords on their own recognizance.

  3. padraic2112> from a security trade-off position, most users (not really unreasonably) won’t be that stringent about maintaining unique passwords on their own recognizance.

    In my opinion, after enough transitive compromises have befallen them, they will. I.e., I include Darwin as one of the educators.

    Possibly some cheap secure token device will become commonly available to ameliorate this problem eventually.

  4. AB> after enough transitive compromises have befallen them,
    AB> they will. I.e., I include Darwin as one of the educators.

    Even Darwin doesn’t cover large enough groups of users. I know lots of people who have had catastrophic data loss events in their life; some of them are great about backups, most of them are reasonably good about backups, but there’s still some who just sail along merrily.

    AB> some cheap secure token device will become commonly
    AB> available

    Probably, and this will shift the problem domain from bad password management to device security problems (which is probably, overall, a good shift).

    Some hardware token that stores a password database, with a client agent similar to ssh-agent, where the user types in one password at session login and the agent does the rest of the work.

    Of course, the fundamental untrustworthy OS problem doesn’t go away. 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: