Is your password salty enough?

~ evilrix

Passwords. They are ubiquitous. You can’t avoid them. Given all the amazing things that have been invented over the last 50 years or so there is still nothing that looks set to replace the humble password any time soon. Any thing you do online these days requires you to register an account. Often this is just unnecessary and just a way of companies harvesting your details to send you yet more targeted ads (spam!). Of course, registering necessitates yet another password.

Now, I am very security conscious so I take passwords seriously. I use LastPass to ensure that all of the sites I access use unique and very strong passwords (at least 15 chars of alphanumeric and special characters). I go to a lot of trouble by paying for (I subscribe as a premium member so I can get mobile access) and using a program that ensures my passwords are secure. So why oh why do so many sites that I use (and this includes myBank!) insist being so dumb when it comes to passwords?

One such dumb practice is restricting the length of your password or the characters you can use. At best this is bad practice; everyone knows the longer a password is and the more variable the combinations the harder it is to crack. But, worse is the possibility that this implies; the site is probably storing your original password and it’s probably in plain-text. How do I deduce this? Well, it’s quite simple, I’ll explain.

If your password was stored, as it should be, as a salted cryptographic one way digest hash then the contents and length of your password shouldn’t make any odds what-so-ever because the value that is stored will be a (large) fixed length number. So, the fact that the contents of your password are so important means that it is probably being stored insecurely. Either that or the programmer who designed the interface is an idiot.

The other thing that is becoming more and more frequent is for sites to actually e-mail you your own password in plain-text once you’ve registered. Yeah, thanks for that. I do have a mind like a sieve and unless you were to e-mail me my own password I might have just forgotten it immediately. Meanwhile, don’t worry about anyone who is packet sniffing your traffic or mine. I’m sure they’ll not use my password to access my account on your service.

I’m truly fed up with sites taking my privacy and security so glibly. I think it’s about time there was a “name and shame” web site. In fact, I might just start one myself. Wait, I just need to register with a hosting service… give them my password… noooooo!!!!!

Published by evilrix

An expert in cross-platform ANSI C/C++ development; evilrix specialises in high performance/low latency solutions and complex meta-template programming techniques, using Boost and the latest ANSI C++ standard.

2 thoughts on “Is your password salty enough?

  1. Interesting. I never thought about the fact that they are comparing my password and limiting it. SMART CARDS are a good way to keep passwords. I am sure they have their vulnerabilities also.

    Reply
  2. Pingback: First Direct password fiasco | evilrix

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.