Storage of clear-text passwords: NOT!
Paw Prints: Writings of the maddog
I am the first person to admit that I am not an expert on security (o.k., there are probably several dozens of my friends who will gleefully “admit” that I am not an expert on security before I will), but I do know that storing passwords in clear-text is just not the way to go. Yet recent interactions with several web site management teams has shown me that apparently some people have not yet learned this simple principle.
With all the reported incidents of identity theft due to records and data stolen you would hope that companies would treat passwords with more respect, yet I have one “social network” site email me information on my account each month where they include my password in the email in clear-text. The very first time they did this I went onto the site, removed all my information, replaced the information with fictitious data and changed the password to “stupididiots”. Now every month I get the email from them that reminds me of how stupid they are. When I start receiving things based on the fictitious information in the mail, I will know from where and why it is arriving.
Nor is this limited to small sites created by amateurs. Recently I had reason to talk with a major site holding records for millions of people and realized that they and their staff had access to their customers clear-text passwords. “That is not a smart thing to do” I told them. They did not seem to grasp the implications, so in the next few days I will be writing a letter to their president.
You would think that with examples like Unix and Kerberos that have been around for such a long time people and sites would be a bit more careful with how they handle passwords. Simple protection techniques are not rocket science, and can make the stored passwords a lot safer.
For example, sites should convert the clear-text password received by the customer into an encrypted form immediately after receiving it, then throw away a small part (one bit would do) of that encrypted form and store the rest. This would prevent anyone receiving a database of stored passwords and (without any other knowlege) using a brute force technique to decrypt the passwords. When the customer accesses the site again, follow the same procedure, and compare the two encrypted strings. If they match, allow access.
If you are using a deterministic encryption algorithm, one that always creates the same encrypted string from the same set of clear-text, you don't have to know what the clear-text password is, only that the encrypted forms matched.
Granted, this technique also relies on the fact that people choose “good passwords”, but no choice of a “good password” will protect you from idiots who insist on storing your clear-text password in their database in clear-text.
If a customer contacts the site and tells the staff that the customer has forgotten their password, the site will need to authenticate them in some way and then generate a new password for them and allow them to change it to whatever they need. Many web sites have automated this process in a fairly robust way using one-time ULRs and one-time passwords but the methods could be improved. There should never be a clear-text password generated, shipped or stored anywhere.
I recognize that this blog is not a treatice on Internet security, and I apologize to the regular readers of this column who will say “o.k., what else is new”, but as long as we keep hearing of “stolen records” that could easily have been avoided, we need to keep beating the drum.
Call staff accessI know that every ISP here stores the passwords (access authorisation, email and website) in plain text, because I have had reason to call and ask for access to customer websites where the original maintainer had moved on. In every case, after some preliminary footsie over who I was, they could read back and spell the password over the phone.
A far better approach would always be to provide an audited, supervised mechanism for password renewal combined with advice to change the newly generated password immediately.
Richard Stallman calls for the W3C to remain independent of vendor interests.
The new release supports nine architectures, 73 human languages, and zero non-Free components.
Fedora developers release the first alpha version of Fedora 19, known as Schrödinger’s Cat, for general testing. The final release is expected in July 2013.
ack is a grep-like, command-line tool that has been optimized for programmers to search large trees of source code.
New features in SUSE Studio 1.3 include enhanced cloud integration, VM platform support, and lifecycle management.
The Linux Foundation recently announced that the Xen Project is becoming a Linux Foundation Collaborative Project.
Open source version of LiveCode is now available for developing apps, games, and utilities for all major platforms.
OpenDaylight is an open source software-defined networking project committed to furthering adoption of SDN and accelerating innovation in a vendor-neutral and open environment.
The new Gnome release includes privacy and sharing settings, allowing more user control over access to personal information.
Mozilla is collaborating with Samsung on a new web browser engine called Servo.