Stories
Slash Boxes
Comments

SoylentNews is people

If You're Not Peppering Your Passwords, You Are Irresponsible

posted by Fnord666 on Tuesday March 05 2019, @01:15PM   Printer-friendly
from the push-it dept.

Arthur T Knackerbracket has found the following story:

You heard me. You know how weak your user’s passwords likely are. You know your users are almost certainly sharing their passwords with multiple sites. You know that a compromise of your database could lead to significant damage coming to them. You know this because it happens all the time, all over the web.

You have a duty to protect the security and privacy of your userbase. They’ve entrusted you with their data, and it is on you to keep it safe. So why aren’t you doing everything possible to accomplish that task? For this blog, we are going to talk exclusively about password storage.

If you ask just about any security professional in the world how best to store a password, you’re liable to hear something about using a cryptographically secure hashing function “with a salt.” Some will go so far as to mention algorithms like Bcrypt or Scrypt. Very few will make any mention to how password policy plays a significant part in ensuring the security of any stored values.

But almost none of them, will even mention the word “pepper.” Now I suspect this isn’t malicious, (obviously). I think even most security professionals simply aren’t informed enough to know or act with regard to this concept.

So today we’re gonna work on that…

Original Submission

 
This discussion has been archived. No new comments can be posted.
If You're Not Peppering Your Passwords, You Are Irresponsible | Log In/Create an Account | Top | 86 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Informative) by Anonymous Coward on Tuesday March 05 2019, @03:00PM (5 children)

    by Anonymous Coward on Tuesday March 05 2019, @03:00PM (#810262)

    If you cared about strong passwords on your site, you could just assign them yourself.

    which will guarantee that most of your uses will write it down somewhere, and store that post-it/piece of paper near their computer

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Total Score:   1  

  • (Score: 4, Insightful) by HiThere on Tuesday March 05 2019, @04:59PM (4 children)

    by HiThere (866) Subscriber Badge on Tuesday March 05 2019, @04:59PM (#810307) Journal

    Which actually isn't a bad form of protection against net based attacks. I know that everyone says you shouldn't write the password on a post-it note and stick it on your screen, but that depends on the kind of attack you're guarding against. For a net based attack that a superior form of protection.

    Now ideally one would have protection against all attack vectors, but currently the most common attacks are net based, so it's really time to stop dissing the post-it note approach, and rather say "But you'd better also have a computer based protection layer.".

    --
    Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.

    • (Score: 2) by JoeMerchant on Tuesday March 05 2019, @05:24PM (2 children)

      by JoeMerchant (3937) on Tuesday March 05 2019, @05:24PM (#810318)

      Any attacker who has gotten past the building physical security and is sitting calmly at my desk, not being detained by security called from my trusted colleagues, has already won. I don't have any passwords on sticky notes, but I do have a pile of unsecured USB memory sticks, as well as physical devices galore which can be loaded up on a cart and taken away for dissection bypassing all security and reading the SSDs directly.

      What they will find is 99.999% harmless, mostly freely available software downloaded from the web. If they're looking for dirt, they'd be better off setting up a video capture of management's screens so they can read their e-mails.

      --
      🌻🌻 [google.com]

      • (Score: 2) by https on Tuesday March 05 2019, @06:47PM (1 child)

        by https (5248) on Tuesday March 05 2019, @06:47PM (#810358) Journal

        Possible your attacker is your "trusted" colleague. Who hates your guts because you don't get shit on when you screw up. Or maybe the shape of your head offends. Who knows? Religious whackjobs don't need a reason to use your tools to frame you.

        Because net-based attacks and socialengineering based attacks both exist, it seems prudent to give a thought to both.

        --
        Offended and laughing about it.

        • (Score: 2) by HiThere on Tuesday March 05 2019, @07:18PM

          by HiThere (866) Subscriber Badge on Tuesday March 05 2019, @07:18PM (#810374) Journal

          You are assuming a particular sheave of use-cases. And I *did* suggest two levels of protection, only one of which would be affected by the post-it note. Two is a definite minimum, even for a home system, but the post-it note for the one that doesn't have any automated computer response, and which is different for lots of different accounts, should not be dismissed as "Don't even consider that horrible approach!", because sometimes it's a quite reasonable approach.

          --
          Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.

    • (Score: 1, Insightful) by Anonymous Coward on Tuesday March 05 2019, @05:28PM

      by Anonymous Coward on Tuesday March 05 2019, @05:28PM (#810319)

      It's important that its stuck on the screen, so the attacker who gains access to the built in web-camera can't see the post it note.