After reading the news report about the Gawker password leak, I thought to myself, WTF?!! According to the BBC article, I just couldn’t believe the kind of passwords people chose to use for their accounts. Unfortunately, I see this everywhere, particularly in corporate environments. People tend to come up with passwords that depend on what keys are placed in sequence on a keyboard.
Okay, having previously worked in information systems security, I have learned some things about password security. And the biggest thing that I learned from this leak is that, these people did not take suitable password protection measures.
- A password must never be stored in the clear because it can be read if the database is dumped.
- A password must never be encrypted because it can be read if the secret key used to encrypt it is broken along with the application.
- A password must never be hashed because it can be read if a common password is used (like in this case) where the hashes can be calculated outside of the attack.
- A password must always be randomly seeded and hashed so that the same password, can have different hash values under different conditions.
In fact, the last method – a randomly seeded hash – is only good for now, until it is broken. In fact, this scheme should be used to encrypt any sort of data used for one-way authentication. There are many different ways to do a seeded hash but the concept is similar in all cases – to prevent a value from having the same hash all the time.
Can you imagine it, the most common password is “123456”??!!!
This is probably a good time to plug a simple tool that will come in very handy with online passwords – pwdhash. It comes with both a Firefox and Chrome plugin so it can be easily used in modern browsers. What it does is to seed a password with the domain name and hash it. So, even if your password is “123456”, it will be sent as a random string of characters to the website.