Unsafe Password Storage Practices

There is a growing number of websites out there that require its members to login on a fairly regular basis. Many times these numerous user names and/or passwords will slip our minds and we'll be forced to click on the "Forgot My Password (click here if you're an idiot)" link. Yes, I am a regular clicker of these types of links. How many times, after proceeding with this shameful process, have you received an email containing your password? No, not a link to change your password or questions about your account that only you would know (that would eventually allow you in), your actual password in plain text! This could tell you a lot about how your favorite website is handling your password. Oh, and by the way, a bank, credit card company, etc. should never be able to send you your password in an email. This means that they are not securely storing your password. Here's how it works:

Secure Password Storage
When you sign up for your new account and enter your password for the first time, your password is hashed (one way encryption) and stored into the database. This hash is a one way avenue. It can't (in most cases) be decrypted, thus no way for anyone to retrieve the original password. So, if you can't see the original password then how are you able to log back in? When you revisit the site and enter your password, it is hashed, using the original algorithm, and then it's compared to the stored (hashed password). If the two match, you are granted access.

Original Password -> SHA-1/MD5/Other Hash -> Database Storage
Login Password -> SHA-1/MD5/Other Hash -> Result is Compared to Database (Hashed)

Password Storage

Unsecure Password Storage
When you sign up for your new account and enter your password for the first time, your password is sent directly to the database. In some cases it might be encrypted using a weak algorithm that can be unencrypted or decrypted. When you revisit the site to log back in, the password that you enter is compared directly to the one (or decrypted one) stored in the database.

Original Password -> Database Storage
Login Password -> Result is Compared to Database (Plain Text)

Password Storage Plain Text

3 Responses to “Unsafe Password Storage Practices”

  1. Yes, it’s very important to store a password hash instead of an actual password. It’s almost as important to use a salt when generating the hash and verifying a password at login as well — without a salt, accounts can be compromised more easily with a “rainbow table” (see http://en.wikipedia.org/wiki/Rainbow_table).

  2. Mark Champine says:

    A nice package to protect passwords for Java is Jasypt: http://www.jasypt.org. It uses a strong hash, random salt, plus iterations. Even if you’re using another language, you might want to use a similar technique.

    Hi Jeremy!

  3. Good post, short and simple, gives a good introduction to securing user passwords. But take notice of the reply from Jeremy Weiskotten, to do avoid rainbow table attacks you should always use salting.