01 Feb 2011

Hackers, passwords and us

A lot of hacking activity has been going on online of later. If you missed Gawker's, there is of late Plenty of fish. While it seems building a 100% fool proof system is seemingly hard and sometimes not in our capabilities, the much we can do is to atleast protect our passwords. There are many ways passwords are compromised. This piece however focuses on access via a compromised database. How does this affect you as normal site user and as a site developer?

As a site user
How secure do you think that site you registered at is? Ok, strike that. Is your password safe if the site database is compromised? Well, one way to be sure is to know if the site stores your password in plaintext or with a two way encryption algorithm. One is better though. But thing is two way encryption can still be decrypted.

So how do you know if your password is safe even if the database is compromised? It's simple. Do a 'recover my password'. If you get your password sent to you as plain text, then your password is not safe. Next move? If it is an account you are not into again, delete if possible. If you are still much into it or can't delete your account, change your password to a unique one exclusive for the site. So that should in case anything happens, your account on other sites are not compromised.

As a developer
Storing passwords in plain text is really out of it. Even using two way encryption algorithms is not much of it either. The only possible reason developers do this is to be able to recover user passwords - a feat that can be done in other ways. One simple way is simply to reset the password to a new value, update the password field in the database table to a hash of the value and send that (unhashed) value to the user.

So how should passwords be stored? Any encryption/hashing algorithm that can't be reversed will do. The most common encryption algorithm used is md5. To make the encryption more secured, it is recommended developers salt values for encryption. Better still, use hashing algorithms that will always generate different results even for the same values. An example of this is the PHP library Phpass. Wordpress uses this at last check.

More importantly, and in conclusion, as with everything, remember there are workarounds. There are hash cracking methods like rainbow tables and brute force attack. Your best bet is therefore to encourage users to use strong passwords with the combination of letters, alphabets and symbols, possibly enforce it. These are almost unfeasible for brute force attacks. And as a user, use passwords with alphabet (and case), number and symbol combination

My name is Opeyemi Obembe. I build things for web and mobile. You should follow me on Twitter (@kehers).