Today I came across this article by Coda Hale:
...which referenced this paper:
Proceedings of the FREENIX Track:
1999 USENIX Annual Technical Conference
Monterey, California, USA, June 6–11, 1999
A fellow consulting colleague was chatting with me over a cup of coffee a few weeks ago, and the topic of application security came up.
Some of the obvious things to avoid:
- storing passwords in plain-text in databases
- storing passwords in plain-text in property/configuration file
Using a unique salt for each user's password is one of the optimal mechanisms.
Here are some interesting postings that review various strategies:
Some resources that might be of interest to developers:
You might think that at this point in the evolution and maturation of Computer Science and Software Analysis and Design - that no commercial software vendor would store passwords in plan-text. Apparently you would be wrong...
Event those that don't store passwords in plain-text, still have trouble getting security right...
more great stories at...http://blog.sucuri.net/
Credit Union National Association, Inc. has a nice write-up on Password Safety Tips:
Microsoft Online Safety
Check Your Password - is it strong?