Saturday, April 24, 2010

2010-04-24 Saturday - Storing Passwords

2011-06-25 Update:
Today I came across this article by Coda Hale:

...which referenced this paper:

Proceedings of the FREENIX Track:
1999 USENIX Annual Technical Conference
Monterey, California, USA, June 6–11, 1999

A fellow consulting colleague was chatting with me over a cup of coffee a few weeks ago, and the topic of application security came up.

Some of the obvious things to avoid:
- storing passwords in plain-text in databases
- storing passwords in plain-text in property/configuration file

Using a unique salt for each user's password is one of the optimal mechanisms.

Here are some interesting postings that review various strategies:

Some resources that might be of interest to developers:

You might think that at this point in the evolution and maturation of Computer Science and Software Analysis and Design - that no commercial software vendor would store passwords in plan-text.  Apparently you would be wrong...

Event those that don't store passwords in plain-text, still have trouble getting security right...
 more great stories at...

Credit Union National Association, Inc. has a nice write-up on Password Safety Tips:

Microsoft Online Safety
Check Your Password - is it strong?

No comments: