My new year’s resolution is 2880×1800. With that out of the way, I’d like to acknowledge this year drawing to a close with a brief nod to Standards Compliance. Industry standards are important, but should not be based on methods which appear to have stood the test of time alone. They should – and often are – based on methods known to be robust, reliable, scalable and mathematically sound. It is these strengths which truly allow algorithms to stand the test of time, the absence of any reliance on obscurity for security. In light of the countless high profile ‘hacks’ which occurred this year leading to password leaks, one must ask – why does it seem so hard to follow basic principles?
Security programming is hard. There are, however, certain fundamentals which must be satisfied if one is to build a secure system. Passwords should never be stored in a database in plain text. This has been exhaustively repeated, but the point doesn’t seem to be hitting home. Consider Tesco, for instance, who recently came under fire by a UK Watchdog for E-mailing users their passwords in plain text when prompted online for a reminder. Their initial justification was that they store passwords ‘in a secure way’ and are ‘only copied into plain text when pasted automatically into a password reminder mail’.
If the mechanism for this exists, the passwords are not stored in a secure way. After setting it, if you’re able to get your password back, there are inherent problems in the system’s security. The obvious problem is that of transmission over an insecure channel, leaving your personal data open to people snooping on the network connection. The real issue, however, is that if the administrators of a system are able to get your password back, so can anyone. Cryptographic best practices exist to protect your data from anyone, whether it be malicious hackers or administrators of the system you intend to log in to.
I recently signed up to the Financial Times online. Shortly after creating an account, I was sent an E-mail from them telling me what my password is. EE’s twitter account today have been asking people for their passwords over direct message to assist them in their problems, and not long after, spoof accounts imitating EE were created to try to phish such details from other users too.
This behaviour is unacceptable in a time where online data surrounds our lives so abundantly. So what’s the right thing to do?
Passwords must never be stored in clear text within a database. Symmetric encryption is also not sufficient. Best practices are to apply a one way hashing function (with a random salt) to transform it into something which differs wildly even if different users register with the same password. This is helpful because if the database is compromised, it is not a trivial process to reverse the hashes to find the original data. Without the salt, a malicious hacker can precompute hashes of common passwords and compare the data for collisions. What is compared when logging in to a system are the hashes, not the passwords themselves.
The behaviour of banks may be another potential issue. Natwest asks users for certain characters of their password, coupled with a username, to log in online. Halifax, however, asks users for the entire password and specific characters of their ‘memorable information’. Halifax’s methods are more sound here, as this is clearly two factor authentication with a hashed password. The problem with Natwest’s method is that they have the ability to verify individual characters of a password. One can assume it isn’t hashed in the conventional methods described above as a result. Whether it’s actually not following best practice, we cannot be sure.
We need to move away from a culture where high profile leaks by groups such as Anonymous are the biggest motivators of security improvements, and start ensuring systems are standards compliant across the board.
What can you do to protect yourself from appearing on lists of leaked usernames and passwords and having your accounts compromised? Don’t use the same password for different services, and use strong alphanumeric passwords which don’t resemble dictionary words where possible. If you’re so inclined, stick some dictionary words together to improve entropy. But most of all, be aware that if you can get your password back in plain text from a system you trust, stop trusting it, and keep your credentials secret.
I hope we’ll see less exploits of this nature as we implement the ‘prevention is better than cure’ philosophy into our systems, and I wish you all a cryptographically secure 56ab24c15b72a457069c5ea42fcfc640 22af645d1859cb5ca6da0c484f1f37ea 84cdc76cabf41bd7c961f6ab12f117d8.
– Alex Kara