SoylentNews

If You're Not Peppering Your Passwords, You Are Irresponsible

posted by Fnord666 on Tuesday March 05 2019, @01:15PM   
from the push-it dept.

Arthur T Knackerbracket has found the following story:

You heard me. You know how weak your user’s passwords likely are. You know your users are almost certainly sharing their passwords with multiple sites. You know that a compromise of your database could lead to significant damage coming to them. You know this because it happens all the time, all over the web.

You have a duty to protect the security and privacy of your userbase. They’ve entrusted you with their data, and it is on you to keep it safe. So why aren’t you doing everything possible to accomplish that task? For this blog, we are going to talk exclusively about password storage.

If you ask just about any security professional in the world how best to store a password, you’re liable to hear something about using a cryptographically secure hashing function “with a salt.” Some will go so far as to mention algorithms like Bcrypt or Scrypt. Very few will make any mention to how password policy plays a significant part in ensuring the security of any stored values.

But almost none of them, will even mention the word “pepper.” Now I suspect this isn’t malicious, (obviously). I think even most security professionals simply aren’t informed enough to know or act with regard to this concept.

So today we’re gonna work on that…

---

Original Submission

• Re:What is this, click bait? Re:What is this, click bait? (Score: 2) by donkeyhotay on Tuesday March 05 2019, @04:28PM (1 child)

  by donkeyhotay (2540) on Tuesday March 05 2019, @04:28PM (#810294)

  Yes! Thank you! That's just what I was thinking. WTF is "peppering"?

  Parent

  Starting Score:	1		point
  Karma-Bonus Modifier		+1
  Total Score:		2

• Re:What is this, click bait? (Score: 2) by FatPhil on Tuesday March 05 2019, @04:54PM

  by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Tuesday March 05 2019, @04:54PM (#810304) Homepage

  Basically, it's salt that's not stored in the same place as your password, such that a compromise of the DB still leaves attackers without a way of performing the same encryption function that you do, so a dictionary attack can't be performed. (the naive "brute force" is just a dictionary attack with the dumbest possible of all dictionaries)
  
  It adds a roadbump, they need to compromise 2 things not one. However, it only protects you *better* than without on the assumption that your database is compromised. Why would you make that assumption? If your answer is "well, it's inevitable eventually", then the follow-up question "why is your defence of the pepper stronger than that of the salt and encrypted password, and why aren't you using that for the salt and encrypted password?" might flag some warning signs that you've not really thought things through fully.
  
  Note, for example, that you have always been able to just store your salt (and encrypted passwords) in a separate location, and don't need to call this remote thign "pepper". Of course, you then have more complicated data management, but you do with this so-called "pepper" too. Even if pepper is common accross users, rather than per user (didn't read the article long enough to work that out), that makes no difference - it really is as hard to keep 16 bytes secret as 16MB - you rarely hear of hackers cracking just one account, or of crappy websites leaking just one account. It's generally 0 or loads that gets out, so there's little to be gained by thinking that you only need to hide a small amount of secret material.
  
  Disclaimer: I am not a professional in the field, and I hold a few distinctly non-mainstream views when it comes to security practices. Feel free to reject any or all of the above.

  --
  Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves

  Parent