Storing Passwords Securely
I intended to blog about Scala, but then there was yet another loss of passwords and I ran across this post by Patrick Mylund Nielsen on Storing Passwords Securely. This is the most complete and concise discussion of password security I’ve seen to date. To summarize Mr. Nielsen:
Cryptographic hash functions are not sufficient for password hash functions. If an attacker gets hold of your hashed passwords (as happened in the Linked in case), it’s easy to recognize the hash for a given password because the hash for it is constant. For example, the attacker can take a list of common passwords and generate the hash for each one and then compare his hashes to yours. Every time the the hashes are equal another one of your passwords is compromised.
One solution for this problem is salting. Salting is adding a random string to the password before it is hashed. You store the salt with the hash so you can test submitted passwords. Of course, if the attacker gets your passwords he also gets the salts, but he has to hash each of his password guesses with all of the salts.
Of course, if it just takes microseconds to generate a hash then you may still have a problem. This leads to Mr. Nielsen’s second point: password hash functions should be slow. Taking a second to calculate the hash won’t be noticeable to your users, but it will make the attacker’s job billions of times worse. The method used to slow down the hash function is called “stretching.” Stretching involves hashing the password and then hashing the hash. That hash hashing can take place hundreds of thousands of times.
There are three common password hashing functions that both salt and stretch the hashes. They are PBKDF2, bcrypt, and scrypt.
Finally, there are libraries available for all three. Use a well-supported, widely used library. The risk of fatal bugs is much lower that way.
SOUND OFF: What methods do you use to thwart attackers?
