Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday March 05 2019, @01:15PM   Printer-friendly
from the push-it dept.

You heard me. You know how weak your user’s passwords likely are. You know your users are almost certainly sharing their passwords with multiple sites. You know that a compromise of your database could lead to significant damage coming to them. You know this because it happens all the time, all over the web.

You have a duty to protect the security and privacy of your userbase. They’ve entrusted you with their data, and it is on you to keep it safe. So why aren’t you doing everything possible to accomplish that task? For this blog, we are going to talk exclusively about password storage.

If you ask just about any security professional in the world how best to store a password, you’re liable to hear something about using a cryptographically secure hashing function “with a salt.” Some will go so far as to mention algorithms like Bcrypt or Scrypt. Very few will make any mention to how password policy plays a significant part in ensuring the security of any stored values.

But almost none of them, will even mention the word “pepper.” Now I suspect this isn’t malicious, (obviously). I think even most security professionals simply aren’t informed enough to know or act with regard to this concept.

So today we’re gonna work on that…


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Funny) by bob_super on Tuesday March 05 2019, @05:44PM (5 children)

    by bob_super (1357) on Tuesday March 05 2019, @05:44PM (#810326)

    The trick is to have a webcam pointing at your wall.
    Every time you change the post-it with the pepper, have OCR read it and automatically update the password database.
    Repeat the process every time anyone tries to authenticate, never storing the pepper in a silly file, trusting the fan nearby to drop the post-it if you haven't updated recently enough.
    The post-it is both more secure from remote hacks, and allows you to shut down all remote accesses just by turning off the light.

    Starting Score:    1  point
    Moderation   +1  
       Funny=1, Total=1
    Extra 'Funny' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Tuesday March 05 2019, @05:51PM (1 child)

    by Anonymous Coward on Tuesday March 05 2019, @05:51PM (#810328)

    My office is in San Francisco, and my investment partners would like to hear more...

    • (Score: 2, Informative) by nitehawk214 on Tuesday March 05 2019, @06:59PM

      by nitehawk214 (1304) on Tuesday March 05 2019, @06:59PM (#810365)

      Cloudflare [youtube.com] is already doing this.

      --
      "Don't you ever miss the days when you used to be nostalgic?" -Loiosh
  • (Score: 2) by JoeMerchant on Tuesday March 05 2019, @06:28PM (2 children)

    by JoeMerchant (3937) on Tuesday March 05 2019, @06:28PM (#810340)

    I think your post-it lost its remote hack security the minute you pointed a webcam at it.

    Regardless, there is a certain amount of merit in the idea as an additional unexpected layer of security, and it sounds like a plot element in an upcoming Netflix tech-thriller.

    --
    🌻🌻 [google.com]
    • (Score: 2) by bob_super on Tuesday March 05 2019, @06:30PM (1 child)

      by bob_super (1357) on Tuesday March 05 2019, @06:30PM (#810341)

      > I think your post-it lost its remote hack security the minute you pointed a webcam at it.

      You haven't seen my wall.

      • (Score: 3, Funny) by JoeMerchant on Tuesday March 05 2019, @07:08PM

        by JoeMerchant (3937) on Tuesday March 05 2019, @07:08PM (#810368)

        I think your post-it lost its remote hack security the minute you pointed a webcam at it.

        You haven't seen my wall.

        So, you'll be offloading your OCR to Deep Blue?

        --
        🌻🌻 [google.com]