Sunday, July 29, 2012

A call for password algorithm disclosure

Not even 24 hours after my Defcon talk, in which I expressed my opinion that password hashing policies should be disclosed, Twitter finds out that @UKTesco believes this is acceptable: Passwords are stored in a secure way. They’re only copied into plain text when pasted automatically into a password reminder mail.

No.  If you can recover the plaintext of the password to send in an unencrypted email, your passwords are not "stored in a secure way."  They are stored in a fully insecure way.

LinkedIn: Unsalted SHA1.
Yahoo Music: Plaintext.
eHarmony: Unsalted MD5.
RockYou: Plaintext.

This is unacceptable.  This is 2012, not 1982.

My proposal is very simple:

Disclose your password hashing algorithm publicly on your website.

If you are using BCrypt, tell us.  If you are using PBKDF2 with a high iteration count, tell us.  If you are using SCrypt, tell us.  If you are using unsalted anything... fix it before you tell us.  If you are using plaintext, fix it before you tell us.

The new user behavior should be:
If a website does not tell you what hashing algorithm they use, assume they use plaintext.

This is the only reasonable way to deal with the fact that websites, in large numbers, do not take their password security seriously.

For website operators who are concerned about this: Why are you concerned?  If you are using a good password hashing algorithm, this is a very good thing to advertise.  If you do NOT use a good password hashing algorithm... people will find out eventually.  One way or another, people will find out, and it's not a good thing when they find out you've been treating their sensitive passwords as common temp data.

Please feel free to share.  Let's fix this problem.

No comments:

Post a Comment