Setting a Good Example with Passwords
After hearing some random people shout their passwords out, we as Programmers (and other IT peoples) should set a good example.
Recently, in my travels (in the travel agent), the lady serving me was unsure of how to book a couple of gnarly tickets, so she called one of the other staff members over. She had to log on to a new system to do it and was told, right in front of me, the username and password of the system. Further to this, I saw the web address of the site and was blatently public facing. I had all the details to be able to log on!
I told here that I would try and 'forget' those details straight away. She knew I worked in IT and said "I guess you forget them all the time with having so many with your type of work". I said "Quite the opposite, it's exactly those sorts of things I remember". I was quite shocked at the plain inability to understand what passwords are actually used for - not that their password was any good anyhow.
Another time on my travels on the train, two school girls were talking about doing their homework on their parent's computers. One stated that she tried for an hour to log in to her Dad's machine by guessing the password. In the end she realised that no password had actually been set! This isn't so major, but it does make you think.
These two examples obviously show that we still need to educate the people regarding the security and effectiveness of having a good password.
It seems that most of us IT people know what constitutes a good password. You know, the usual no dictionary words, mixture of letters, characters and symbols, of a reasonable length and of course the old favourite, don't write it down.
But at various times (usually working with other systems) I have had the misfortune of coming across a list of usernames with their respective plain-text passwords. I mean come on, if we expect users to be sensible with their passwords, then we also have to be with them too.
Over the past year or so, I've changed the way I deal with passwords. Originally I would get the password and do an MD5 hash of it prior to storing. This seemed good at the time, but it's not really since a lot of people still use dictionary words and with sites like md5 reverse lookup around they can sometimes be figured out if the hashed passwords get into the wrong hands. Try this 8b1a9953c4611296a827abf8c47804d7 for starters.
The next stage in my password adventure, I started hashing the password with a 'seed' string. As an example, if the password entered was 'TryMe' and my seed was 'Xg7*e#q!', the hash would use 'Xg7*e#q!TryMe'. This helps, but these days modern computers can reverse engineer the hash within a reasonable length of time, especially if it isn't that long. Armed with the reversed password of a few hashes, the seed (whether tacked on at the start or end) can be figured out and then used to reverse engineer the others more quickly.
Recently, I've taken it a step further and now use both a common seed of random letters, numbers and symbols 8 characters long prepended to the password, followed by another 8 random characters which are unique to that user. This way, even if the common seed can be found by reversing a few hashes, the random characters at the end both lengthens the password and makes sure that dictionary attacks don't suceed. Therefore, unlike the previous example (where a lookup table can then be used), to retrieve each and every password a very lengthy reverse engineering process would have to be undertaken.
As a quick example, if the common seed was as above, the string to be hashed could look like 'Xg7*e#q!TryMekP)i$dYn'.
This is where I'm up to at the moment and I'm a lot happier for it. I'm sure there are probably more ways of doing it to strengthen the password encoding so if anyone has any more hints and tips, I'd be happy to hear them.
But more importantly, let's finally start handling passwords with as much care as we tell our non-computer literate friends and family.
This post originated on http://chilts.org/.
Email me on andychilton -at- gmail -dot- com.