What Happens When You Login?

Feb 23, 2013

Security

By: Brandon Quakkelaar

Your favorite website is asking you for your username and password.

Username? Password? Sure, you’ve got those. [You enter your username] then [you enter your password] then [you press enter] then boom, you’re logged into the website.

What actually just happened? Well, assuming that you entered correct login credentials, you can now access whatever members only area that site offers to those credentials. But before that, in the split seconds after you clicked login and before you saw your profile, the website had to verify that the credentials you entered were correct. It had to make sure that it knew the username you entered and it had to make sure that your password belonged with that username. That process is called authentication.

What Does Authentication Mean?

It is common for online applications (like websites) to want to identify their users. Take Facebook as an example. Facebook cannot operate unless it is able to reliably identify its users. So, Facebook provides a registration process for new users to create accounts. That registration asks the user to give login credentials. In Facebook’s case the credentials consist of an email address and a password. When a registered user visits Facebook, they can enter their credentials and Facebook knows who they are because they have registration information for those credentials. Being able correctly identify a returning user is called authentication. Described another way, a user with correct login credentials is authentic.

Sounds pretty straightforward… right?

Well, no. Well, it should be. The problem is when online applications do a poor job of keeping your credentials safe.

Sending Your Login Credentials

First of all, when you enter your username and password into a website that does not use an encrypted SSL connection, it is possible (dare I say easy?) for a hacker to read your username and password as it is sent to the website. If a website is really concerned about their user’s security then login forms should always use an SSL connection.

Storing User Login Credentials

In order for sites to authenticate returning users, they need to store the user’s credentials. Usually the credentials are stored in a database. The most important thing to recognize about login credentials is that they are the keys to a person’s online identity. Therefore, it is extremely important to store login credentials in a very secure way. The most basic level of security is to make sure that the database is not publicly accessible. But, even if the public doesn’t have direct access to the database, there are other measures that should be taken to keep login credentials as secure as possible.

A no-good, horrible, irresponsible, wrong, wrong, WRONG way of storing user credentials

Some irresponsible sites have stored credentials like this:

A Bad Users Database Table

First Name Last Name Username Password
Brandon Quakkelaar bq2013 guessme
Jane Doe jdOnline password
Bob Smith bsmith secret

This is dangerous for a couple of reasons. The first and most glaring reason it is dangerous is because of the passwords are stored in plain text. This means that anyone who has access to this database (such as an employee of the website) can look up Jane Doe and find her password, Thereby allowing that person to steal Jane’s identity on that site. On top of that, if Jane has used the same password on other sites (like an online banking site) she is now vulnerable to identity theft there as well.

A slightly better way of storing user credentials

Some sites that are more concerned with security store credentials a bit differently. They actually encrypt user’s password before storing them in the database.

Users Database Table with Encrypted Passwords

First Name Last Name Username EncryptedPassword
Brandon Quakkelaar bq2013 hRnAQlrCPXFSGsS4cXDWh+vFLVWSlJka1YWBPTrpImI=
Jane Doe jdOnline 3ookjok1lRzkDBXTYr2PPGigEM+U7mnCJ/Uxof7nPgI=
Bob Smith bsmith SKAbxUcdUOmqkP9TXJElrHkaZoIFwhGfzbcmy26QgN8=

Now the passwords are stored encrypted instead of stored as plain text. This is better, but this is still bad. The problem is that this particular encryption is reversible. This means that if an employee of the website wanted to, she could decrypt all the passwords. Not only that, but if someone gets ahold of Bob’s decrypted password, then they can hack into Bob’s account and Bob would never know about it until after something significant happens.

Passwords should be stored as a one-way hash with salt

When a person registers on a website, the website should do at least three things to ensure security.

  1. Send all credential information over an SSL
  2. Use a one-way hashing algorithm
  3. Use a Salt for each password

Hashing passwords with a one-way hashing algorithm is similar to encrypting passwords. The difference is that once the password is hashed, it cannot be converted back to the original value. This is important and it is a weakness of systems that just encrypt their passwords.

For example, let’s say I use the password “4mazingPa55word”. If I encrypted that password using the key “key”, then “4mazingpa55word” becomes “B0csjGFQtvfg+05Ufr6gJBiZPWe1s77krk4oSF0FlWo=”. The problem is that using that key, I can decrypt the encrypted password back to plain text. Whenever a password can be obtained in it plain text form, that is a bad thing. that means that a disgruntled employee with access to the database could decrypt passwords and log into people’s accounts without them ever realizing that their password has been compromised.

The scary thing is that well known companies have been caught storing passwords in a way that allows the plain text version to be retrieved. In September of 2012, Pandora.com was caught doing this very thing.

Now, let’s consider a password stored using a one-way hash.

Users Database Table with Salted and Hashed Passwords

First Name Last Name Username Salt HashedPassword
Brandon Quakkelaar bq2013 123abc jLg+RKUYydfcFmvuAD9DxXEaevk=
Jane Doe jdOnline qweasd IpVoLHy0+QqENEEmByVevHzoUUU=
Bob Smith bsmith poiqwe SYMTwSQi8+XtKAAtkJvXON8IQoY=

This way of storing passwords is more secure than just encrypting passwords, and it’s much more secure than just storing passwords in plain text.

What is the Salt For?

The salt is a value that is randomly generated by the website when a user registers. It is added to the user supllied password before is gets hashed. This means that if your password is a common password, the hash will be more difficult to crack because the system automatically adds a random value to it. This protects against attacks using Rainbow tables.

So please, if you are ever in the position to write user authentication software, please Salt and one-way hash your password over an SSL!

Additional Reading