Your favorite website is asking you for your username and password.
Username? Password? Sure, you’ve got those. [You enter your username] then [you enter your password] then [you press enter] then boom, you’re logged into the website.
What actually just happened? Well, assuming that you entered correct login credentials, you can now access whatever members only area that site offers to those credentials. But before that, in the split seconds after you clicked login and before you saw your profile, the website had to verify that the credentials you entered were correct. It had to make sure that it knew the username you entered and it had to make sure that your password belonged with that username. That process is called authentication.
What Does Authentication Mean?
It is common for online applications (like websites) to want to identify their users. Take Facebook as an example. Facebook cannot operate unless it is able to reliably identify its users. So, Facebook provides a registration process for new users to create accounts. That registration asks the user to give login credentials. In Facebook’s case the credentials consist of an email address and a password. When a registered user visits Facebook, they can enter their credentials and Facebook knows who they are because they have registration information for those credentials. Being able correctly identify a returning user is called authentication. Described another way, a user with correct login credentials is authentic.
Sounds pretty straightforward… right?
Well, no. Well, it should be. The problem is when online applications do a poor job of keeping your credentials safe.
Sending Your Login Credentials
First of all, when you enter your username and password into a website that does not use an encrypted SSL connection, it is possible (dare I say easy?) for a hacker to read your username and password as it is sent to the website. If a website is really concerned about their user’s security then login forms should always use an SSL connection.
Storing User Login Credentials
In order for sites to authenticate returning users, they need to store the user’s credentials. Usually the credentials are stored in a database. The most important thing to recognize about login credentials is that they are the keys to a person’s online identity. Therefore, it is extremely important to store login credentials in a very secure way. The most basic level of security is to make sure that the database is not publicly accessible. But, even if the public doesn’t have direct access to the database, there are other measures that should be taken to keep login credentials as secure as possible.
A no-good, horrible, irresponsible, wrong, wrong, WRONG way of storing user credentials
Some irresponsible sites have stored credentials like this:
A Bad Users Database Table
| First Name | Last Name | Username | Password |
|---|---|---|---|
| Brandon | Quakkelaar | bq2013 | guessme |
| Jane | Doe | jdOnline | password |
| Bob | Smith | bsmith | secret |
This is dangerous for a couple of reasons. The first and most glaring reason it is dangerous is because of the passwords are stored in plain text. This means that anyone who has access to this database (such as an employee of the website) can look up Jane Doe and find her password, Thereby allowing that person to steal Jane’s identity on that site. On top of that, if Jane has used the same password on other sites (like an online banking site) she is now vulnerable to identity theft there as well.
A slightly better way of storing user credentials
Some sites that are more concerned with security store credentials a bit differently. They actually encrypt user’s password before storing them in the database.
Users Database Table with Encrypted Passwords
| First Name | Last Name | Username | EncryptedPassword |
|---|---|---|---|
| Brandon | Quakkelaar | bq2013 | hRnAQlrCPXFSGsS4cXDWh+vFLVWSlJka1YWBPTrpImI= |
| Jane | Doe | jdOnline | 3ookjok1lRzkDBXTYr2PPGigEM+U7mnCJ/Uxof7nPgI= |
| Bob | Smith | bsmith | SKAbxUcdUOmqkP9TXJElrHkaZoIFwhGfzbcmy26QgN8= |
Now the passwords are stored encrypted instead of stored as plain text. This is better, but this is still bad. The problem is that this particular encryption is reversible. This means that if an employee of the website wanted to, she could decrypt all the passwords. Not only that, but if someone gets ahold of Bob’s decrypted password, then they can hack into Bob’s account and Bob would never know about it until after something significant happens.
Passwords should be stored as a one-way hash with salt
When a person registers on a website, the website should do at least three things to ensure security.
- Send all credential information over an SSL
- Use a one-way hashing algorithm
- Use a Salt for each password
Hashing passwords with a one-way hashing algorithm is similar to encrypting passwords. The difference is that once the password is hashed, it cannot be converted back to the original value. This is important and it is a weakness of systems that just encrypt their passwords.
For example, let’s say I use the password “4mazingPa55word”. If I encrypted that password using the key “key”, then “4mazingpa55word” becomes “B0csjGFQtvfg+05Ufr6gJBiZPWe1s77krk4oSF0FlWo=”. The problem is that using that key, I can decrypt the encrypted password back to plain text. Whenever a password can be obtained in it plain text form, that is a bad thing. that means that a disgruntled employee with access to the database could decrypt passwords and log into people’s accounts without them ever realizing that their password has been compromised.
The scary thing is that well known companies have been caught storing passwords in a way that allows the plain text version to be retrieved. In September of 2012, Pandora.com was caught doing this very thing.
Now, let’s consider a password stored using a one-way hash.
Users Database Table with Salted and Hashed Passwords
| First Name | Last Name | Username | Salt | HashedPassword |
|---|---|---|---|---|
| Brandon | Quakkelaar | bq2013 | 123abc | jLg+RKUYydfcFmvuAD9DxXEaevk= |
| Jane | Doe | jdOnline | qweasd | IpVoLHy0+QqENEEmByVevHzoUUU= |
| Bob | Smith | bsmith | poiqwe | SYMTwSQi8+XtKAAtkJvXON8IQoY= |
This way of storing passwords is more secure than just encrypting passwords, and it’s much more secure than just storing passwords in plain text.
What is the Salt For?
The salt is a value that is randomly generated by the website when a user registers. It is added to the user supllied password before is gets hashed. This means that if your password is a common password, the hash will be more difficult to crack because the system automatically adds a random value to it. This protects against attacks using Rainbow tables.
So please, if you are ever in the position to write user authentication software, please Salt and one-way hash your password over an SSL!
Additional Reading
- Pandora Password Weakness Exposed
- Some Best Practices for Web App Authentication
- You’re Probably storing Password Incorrectly
Please share this post with a friend, and subscribe to get notified of new posts.
Comments may be sent to blog@quakkels.com.
