Developers – secure your passwords, please

It seems like every week there’s a report of another security intrusion, in higher ed or not, with user details being stolen. In many of these cases, user’s passwords were not stored correctly, and in some cases, they were being stored in plaintext, which means there was no encryption or hashing being used.

Before we go any further, if you are storing passwords for your web app in plaintext, shut it off immediately and fix it. Seriously.

Even LinkedIn, a network built by very smart people, was only using SHA1 for their passwords, and no salt. All it takes is a rainbow table, a powerful computer and passwords are easily cracked.

From Poul-Henning Kamp, writing at the Association for Computing Machinery:

This is the first place LinkedIn failed utterly: Calculating the SHA1 function is very, very fast. A regular computer can crunch from 10 million to 100 million of them per second using the GPU, making it a trivial task to check even very large lists of potential passwords.

I’ve written in the past about some ways to use salts to protect passwords, but even some of those recommendations are now out of date.

Recently, for anything I’ve written that needs a login, I’ve used Bcrypt. There are ports for just about any type of programming language out there. If you’re writing in PHP, I’d recommend PHPass, a portable public domain password hashing framework. Takes out a bunch of work and is computationally slow, which is what you want when hashing a password.

If you’re looking for a refresher on password security, or you’re new to building apps and want a quick primer on how to do it right, you’ll enjoy this video from Les Hazelwood, CTO of Stormpath. In it, he walks you through various levels of password security and how to store them, from just plain wrong to crazy and complicated. If you’ve got a few minutes, it’s really worth checking out.

1 comment

  1. Even before you ask yourself how to securely store the passwords, I’d ask yourself whether you need to store passwords at all. Is there an institutional authentication system (e.g. CAS) you can use instead? Could you let people authenticate using OpenId or a Facebook or Google account? The safest password is one you don’t even have.

Leave a Reply