Showing posts with label passwords. Show all posts
Showing posts with label passwords. Show all posts

Tuesday, February 07, 2012

Password Security


I'm always troubled by those services where they send me my password when I use the "forgot my password" option. This means that they store my password in plain text in their database!!!!

The proper way to store passwords are to store cryptographic hashes of these passwords. This should be used with a salt to avoid a simple dictionary attack when the password is a commonly used one. However it is interesting to see the analysis here, where it shows how easy it is to attack this setup (Even with hashing the password recursively 1000 time makes it possible to obtain a known password in 10 hours).

This shows that the means of making this current system stronger are :
- Use longer/random pass phrases (pwgen)
- Add more computation overhead such that it cannot be parallelized.

This made me think: What if we have a hardware device attached to the system that is carrying out the password authentication with has the following properties:
- This device provides a deterministic function F : {0,1}* -> {0,1}*.
- F() can never be duplicated!

Using such a function we can improve the above system as follows:
Salt : s
Password : p
Cryptographic hash function : H
Password hash value to be stored in the database along with the salt s : h

h = H(F(s) + p)

With this approach, someone who steals the a password hash and the salt value, also will have to physically steal the machine (Assuming the F() is embedded in the machine) to be able to figure out the password!

NOTE:
This is motivated by my very introductory knowledge of PUFs. Maybe a PUF implementation can be used to do this. A quick search showed a lot of results that there has already been considerable amount of research work done in this area.
Posted by at No comments:
Labels: ,

Thursday, September 25, 2008

twitbin and your twitter password

I just tried to install the twitbin firefox plugin. Well ... very nice interface!!!

BUT it seems like twitbin first sends my username and password to http://www.twitbin.com. Firefox will prompt you asking whether to remember the password for this site :P

I believe this is should NOT be done :(

A user should NEVER have to give his/her credentials of a certain web application to a 3rd party web application. How can I be 100% sure that those who developed the 3rd party web application wrote perfect code that never leaks my user name/password of my other web application?

Interestingly the twitbin.com privacy policy is very simple and short :


Our privacy policy is simple: we don’t store any personal data about you. We
do track the total minutes spent with twitbin open, and the number of users
who use it. We don’t have any way of seeing what you say, or who you say it
to. User sessions are authenticated through twitter, so your data passes to
them, not us.

You use twitbin at your own risk, we’ve tested it, it hasn’t crashed our
computers, but we just built this in a week. If you see a bug, let us know.

SOURCE: http://twitbin.com/blog/privacy/


Well ... why does firefox ask my permission whether it is OK to REMEMBER the password (and when done so there is an entry against http://twitbin.com) when I try to to login to twitter with my plugin? So is the statement "User sessions are authenticated through twitter... "still true? I haven't really gone through the messages that are exchanged between twitbin.com and the browser... but the fact that the browser remembers the twitter user name/password against http://www.twitbin.com is more than enough evidence for me! (Or is this a firefox bug? :-) )

This sucks! ... so people ... please be careful when you use these sort of applications!!!
Posted by at 4 comments:
Labels: , , ,
Subscribe to: Posts (Atom)