Saturday, April 24, 2010

2010-04-24 Saturday - Storing Passwords

2011-06-25 Update:
Today I came across this article by Coda Hale:
http://codahale.com/how-to-safely-store-a-password/

...which referenced this paper:

Proceedings of the FREENIX Track:
1999 USENIX Annual Technical Conference
Monterey, California, USA, June 6–11, 1999
http://www.usenix.org/events/usenix99/provos.html
http://www.usenix.org/events/usenix99/provos/provos.pdf





A fellow consulting colleague was chatting with me over a cup of coffee a few weeks ago, and the topic of application security came up.

Some of the obvious things to avoid:
- storing passwords in plain-text in databases
- storing passwords in plain-text in property/configuration file

Using a unique salt for each user's password is one of the optimal mechanisms.

Here are some interesting postings that review various strategies:

http://wblinks.com/notes/storing-passwords-the-wrong-better-and-even-better-way

http://dustwell.com/how-to-handle-passwords.html 
http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html
http://apiwiki.twitter.com/Security-Best-Practices



Some resources that might be of interest to developers:
http://oauth.net/
http://www.cert.org/cert/information/developers.html
http://www.cerias.purdue.edu/
http://isis.poly.edu/
http://www.dwheeler.com/secure-programs/
http://msdn.microsoft.com/en-us/security/default.aspx
http://stackoverflow.com/questions/420843/need-some-help-understanding-password-salt
http://stackoverflow.com/questions/536584/non-random-salt-for-password-hashes/536756#536756

You might think that at this point in the evolution and maturation of Computer Science and Software Analysis and Design - that no commercial software vendor would store passwords in plan-text.  Apparently you would be wrong...

http://rondam.blogspot.com/2010/03/danger-will-robinson-rackspace-cloud.html
http://ronrothman.com/public/leftbraned/password-security-its-not-that-hard-but-you-still-cant-get-it-right/
http://web.archive.org/web/20070109023445/http%3A//reddit.com/blog/theft

Event those that don't store passwords in plain-text, still have trouble getting security right...
http://blog.sucuri.net/2010/02/godaddy-store-your-passwords-in-clear.html
 more great stories at...http://blog.sucuri.net/



Credit Union National Association, Inc. has a nice write-up on Password Safety Tips:
http://www.nihfcu.org/filestore/section/227/Password_Safety_Tips.pdf

Microsoft Online Safety
Check Your Password - is it strong?
https://www.microsoft.com/protect/fraud/passwords/checker.aspx



No comments: