Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Tuesday March 05 2019, @01:15PM   Printer-friendly
from the push-it dept.

You heard me. You know how weak your user’s passwords likely are. You know your users are almost certainly sharing their passwords with multiple sites. You know that a compromise of your database could lead to significant damage coming to them. You know this because it happens all the time, all over the web.

You have a duty to protect the security and privacy of your userbase. They’ve entrusted you with their data, and it is on you to keep it safe. So why aren’t you doing everything possible to accomplish that task? For this blog, we are going to talk exclusively about password storage.

If you ask just about any security professional in the world how best to store a password, you’re liable to hear something about using a cryptographically secure hashing function “with a salt.” Some will go so far as to mention algorithms like Bcrypt or Scrypt. Very few will make any mention to how password policy plays a significant part in ensuring the security of any stored values.

But almost none of them, will even mention the word “pepper.” Now I suspect this isn’t malicious, (obviously). I think even most security professionals simply aren’t informed enough to know or act with regard to this concept.

So today we’re gonna work on that…


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by pTamok on Wednesday March 06 2019, @12:39PM

    by pTamok (3042) on Wednesday March 06 2019, @12:39PM (#810682)

    You can 'pepper' your own passwords.

    If you have separate passwords for each site/application that need passwords, then the recommendation is that you use a password manager to keep track of them all (and maybe do things like auto-type passwords into password fields for you). This obviously has a risk associated with you having the password database compromised in some way.

    A mitigation is to add (e.g. as a suffix) a strong password to all the passwords you use, but you don't record it - you merely add it to the password provided by your password manager.
    So your Banking password might be Correct-Horse-Battery-Staple, and your online medical history password might be AlYoBaArBe2Us, so what you do is add your common strong(ish) password at the end, so Correct-Horse-Battery-Staple becomes Correct-Horse-Battery-Staple-tQ7CrSRkJ4BD and AlYoBaArBe2Us become AlYoBaArBe2Us-tQ7CrSRkJ4BD.

    This has a couple of effects:

    1) You make all your passwords where you add the strong password stronger
    2) By not having the 'pepper' in your Password Management application, you decrease the risk of having all your passwords revealed if the application is compromised

    The downside is that you have to remember one strong password and type it in every time you use the password manager, making things less convenient for yourself.