Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday March 05 2019, @01:15PM   Printer-friendly
from the push-it dept.

You heard me. You know how weak your user’s passwords likely are. You know your users are almost certainly sharing their passwords with multiple sites. You know that a compromise of your database could lead to significant damage coming to them. You know this because it happens all the time, all over the web.

You have a duty to protect the security and privacy of your userbase. They’ve entrusted you with their data, and it is on you to keep it safe. So why aren’t you doing everything possible to accomplish that task? For this blog, we are going to talk exclusively about password storage.

If you ask just about any security professional in the world how best to store a password, you’re liable to hear something about using a cryptographically secure hashing function “with a salt.” Some will go so far as to mention algorithms like Bcrypt or Scrypt. Very few will make any mention to how password policy plays a significant part in ensuring the security of any stored values.

But almost none of them, will even mention the word “pepper.” Now I suspect this isn’t malicious, (obviously). I think even most security professionals simply aren’t informed enough to know or act with regard to this concept.

So today we’re gonna work on that…


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Tuesday March 05 2019, @02:35PM (16 children)

    by Anonymous Coward on Tuesday March 05 2019, @02:35PM (#810251)

    Who cares about stupid passwords, force your lusers to use 2FA via SMS, and you can harvest their phone numbers.
    If you cared about strong passwords on your site, you could just assign them yourself.

  • (Score: 3, Touché) by PiMuNu on Tuesday March 05 2019, @02:38PM

    by PiMuNu (3823) on Tuesday March 05 2019, @02:38PM (#810253)

    > If you cared about strong passwords on your site, you could just assign them yourself.

    which is why AC's password is %ASKFJAala;lsa[p[]

  • (Score: 1, Informative) by Anonymous Coward on Tuesday March 05 2019, @03:00PM (5 children)

    by Anonymous Coward on Tuesday March 05 2019, @03:00PM (#810262)

    If you cared about strong passwords on your site, you could just assign them yourself.

    which will guarantee that most of your uses will write it down somewhere, and store that post-it/piece of paper near their computer

    • (Score: 4, Insightful) by HiThere on Tuesday March 05 2019, @04:59PM (4 children)

      by HiThere (866) Subscriber Badge on Tuesday March 05 2019, @04:59PM (#810307) Journal

      Which actually isn't a bad form of protection against net based attacks. I know that everyone says you shouldn't write the password on a post-it note and stick it on your screen, but that depends on the kind of attack you're guarding against. For a net based attack that a superior form of protection.

      Now ideally one would have protection against all attack vectors, but currently the most common attacks are net based, so it's really time to stop dissing the post-it note approach, and rather say "But you'd better also have a computer based protection layer.".

      --
      Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
      • (Score: 2) by JoeMerchant on Tuesday March 05 2019, @05:24PM (2 children)

        by JoeMerchant (3937) on Tuesday March 05 2019, @05:24PM (#810318)

        Any attacker who has gotten past the building physical security and is sitting calmly at my desk, not being detained by security called from my trusted colleagues, has already won. I don't have any passwords on sticky notes, but I do have a pile of unsecured USB memory sticks, as well as physical devices galore which can be loaded up on a cart and taken away for dissection bypassing all security and reading the SSDs directly.

        What they will find is 99.999% harmless, mostly freely available software downloaded from the web. If they're looking for dirt, they'd be better off setting up a video capture of management's screens so they can read their e-mails.

        --
        🌻🌻 [google.com]
        • (Score: 2) by https on Tuesday March 05 2019, @06:47PM (1 child)

          by https (5248) on Tuesday March 05 2019, @06:47PM (#810358) Journal

          Possible your attacker is your "trusted" colleague. Who hates your guts because you don't get shit on when you screw up. Or maybe the shape of your head offends. Who knows? Religious whackjobs don't need a reason to use your tools to frame you.

          Because net-based attacks and socialengineering based attacks both exist, it seems prudent to give a thought to both.

          --
          Offended and laughing about it.
          • (Score: 2) by HiThere on Tuesday March 05 2019, @07:18PM

            by HiThere (866) Subscriber Badge on Tuesday March 05 2019, @07:18PM (#810374) Journal

            You are assuming a particular sheave of use-cases. And I *did* suggest two levels of protection, only one of which would be affected by the post-it note. Two is a definite minimum, even for a home system, but the post-it note for the one that doesn't have any automated computer response, and which is different for lots of different accounts, should not be dismissed as "Don't even consider that horrible approach!", because sometimes it's a quite reasonable approach.

            --
            Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
      • (Score: 1, Insightful) by Anonymous Coward on Tuesday March 05 2019, @05:28PM

        by Anonymous Coward on Tuesday March 05 2019, @05:28PM (#810319)

        It's important that its stuck on the screen, so the attacker who gains access to the built in web-camera can't see the post it note.

  • (Score: 0) by Anonymous Coward on Tuesday March 05 2019, @03:02PM (3 children)

    by Anonymous Coward on Tuesday March 05 2019, @03:02PM (#810264)

    Fuck passwords. Passwords are the beta of security. Fuck beta.

    Asymmetric encryption is the only secure authentication. There is WebAuthn [wikipedia.org], though it is difficult to trust anything that the w3c endorses anymore. By adding DRM to HTML5 video, w3c proves that it is compromised by capitalist interests, and the wiki page mentions support for questionable crypto algos in the WebAuthn proposal.

    Nevertheless, it is a specification for an interface, and it is up to those of us who wish to build applications that may need to protect user data (viz. oblig XKCD [xkcd.com]) to implement that interface in a way that offers meaningful protection from the capabilities of the Five Eyes (and those GRUes that lurk in the dark, ready to bash the head of authentic socialism in with an ice axe, and there is of course trusting trust, but then we must give up on Chromium entirely and support the development of a non-Alphabet-DBA-Google, non-Mozilla browser such as Midori, but I digress).

    • (Score: 0) by Anonymous Coward on Tuesday March 05 2019, @03:22PM

      by Anonymous Coward on Tuesday March 05 2019, @03:22PM (#810272)

      What do you have against Grues, you raciss?

    • (Score: 2) by DannyB on Tuesday March 05 2019, @05:05PM (1 child)

      by DannyB (5839) Subscriber Badge on Tuesday March 05 2019, @05:05PM (#810309) Journal

      Passwords are the beta of security. Fuck beta.

      Didn't the green site abandon beta? Mostly?

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 0) by Anonymous Coward on Tuesday March 05 2019, @10:46PM

        by Anonymous Coward on Tuesday March 05 2019, @10:46PM (#810465)

        No idea because I abandoned the green site, completely.

  • (Score: 3, Insightful) by RS3 on Tuesday March 05 2019, @03:32PM (4 children)

    by RS3 (6367) on Tuesday March 05 2019, @03:32PM (#810275)

    How do you handle phone numbers which can't send or receive SMS, such as landlines?

    • (Score: 2) by choose another one on Tuesday March 05 2019, @03:41PM (1 child)

      by choose another one (515) Subscriber Badge on Tuesday March 05 2019, @03:41PM (#810280)

      > How do you handle phone numbers which can't send or receive SMS, such as landlines?

      Banks / Credit Card cos. will send sms to a landline (or other non-sms line) using a robocall.

      2FA sorted. Now just have to fix the SIM cloning man-with-another-phone-somewhere-else attacks...

      • (Score: 2) by Pino P on Tuesday March 05 2019, @06:57PM

        by Pino P (4721) on Tuesday March 05 2019, @06:57PM (#810364) Journal

        Banks / Credit Card cos. will send sms to a landline (or other non-sms line) using a robocall.

        Chase Bank can make a voice call, as can Outlook.com by Microsoft. Telegram reportedly falls back to voice two minutes after SMS fails. But several other websites don't do voice for 2FA. For example, if a Twitter user attempts to add a landline, instead of leaving a voice call, Twitter displays that there was an error sending a text message to the number. I seem to remember Steam, Discord, and a bunch of other services having the same problem.

    • (Score: 0) by Anonymous Coward on Tuesday March 05 2019, @03:52PM (1 child)

      by Anonymous Coward on Tuesday March 05 2019, @03:52PM (#810284)

      I rub my hands in my crotch before handling a landline.

      • (Score: 0) by Anonymous Coward on Tuesday March 05 2019, @09:24PM

        by Anonymous Coward on Tuesday March 05 2019, @09:24PM (#810424)

        But you do that with everything.

        By the way, what have you been doing with the used toilet paper you keep asking me for?