Universal Music passwords exposed by Anonymous hack Universal Music websites suffered a breach that exposed the usernames and passwords of fans of bands who had signed up for updates on their favourite musicians. Infamous hacktivist group Anonymous claimed responsibility for the hack as part of its AntiSec campaign, which aims to expose the weak spots in the internet security …
"The real problem is storing the passwords AT ALL!!"
How would you like users to be authenticated then?
Storing a salted hash IS storing the password - just in a very very difficult to reverse format.
The plain text aspect IS the problem (and should bother you) - if, as you said, the passwords were stored as salted hashes this wouldn't be half as bad.
storing the password or storing the encrypted password would be storing the password. Anyone with access to the data (or data + key for encryption) knows your password.
storing a hash (salted or otherwise) would be storing a string of crap that can't (reliably|easily) be converted back into a password. You could find a string of text that results in the given string, but you can't be certain that's the actual original password.
nitpicking, maybe, but I agree with the original comment.
Dear Anon,
OK - Security 101...
A hash cannot be easily converted back to a string that would generate it. You might, if you're exceptionallty lucky, get a "candidate" string, but you can't be sure it's the right one, and if you try and brute force it, you will get multiple false positives to contend with.
Now, not being able to get back to the original plain text is important, because many users have the annoying habit of re-using passwords. So, if you can get the password they used for their pop group fan site, you might just also have their Facebook, online banking, Twitter password etc... This bleed over from a compromised site is a common attack vector.
The reason I wouldn't store the password on a site I wrote, even in encrypted form, is simple - I don't need to take that risk. Using hashes will let me authenticate, but it scuppers a lot of things that might be done with my user database should some script kiddie ever get their mits on it - which they won't - but that's another story...
Salting the hash gives a huge improvement in security, because I'm no longer using a standard algorithm to go from the user's supplied password to the hashed value - which means brute forcing is out of the window, so long as you don't know my algorithm. My algorithm would also be include references to random bits of information that the user never knew was associated to their account as well - random data generated when they registered for example...
So, where are we now? If you want to get at the passwords for my users, you are going to need enormous computing resource (ok, you might be the NSA...), knowledge as to the algorithm I have used to salt my hash (ok, I might have a rogue developer turn bad or something...) and access to my Database - which is in turn protected by it's own security system.
And here's the thing - I'm NOT a web developer by trade. So if I know how to implement half decent security, how comes the fat consultants paid by the lads at Universal don't?
Ps. Of course I don't like the password stored as plain text - any numpty can see that is the case from my comment. The point is, I don't like the password stored AT ALL!
Unfortunately, I think that systems where the passwords are stored properly are actually the minority by a long way. That's certainly been the case with my own experience (inheriting existing projects).
Remember that developers who inherit stuff rarely decide their own priorities and customers only care about the issues that are impacting them NOW so "nice to haves" like having a semblance of proper security practice never get done.
I've hurriedly changed all my passwords and learnt my lesson about using the same one everywhere! Storing passwords in plain text is ridiculous, and I'm also really frustrated that they didn't manage to keep it secure. I only signed up to get email updates on when a band was going on tour, thinking back it seems absurd you can't just give them an email address and leave it at that!
"I've hurriedly changed all my passwords and learnt my lesson about using the same one everywhere!"
Try this:
http://www.mirekw.com/winfreeware/pins.html
I haven't seen anything that I consider to be better. It has a password generator, can copy passwords to the clipboard, clears them when minimised or its security time out (which can be altered) cuts in, minimises to tray, requires password on resume after security cut out, sites can be grouped into categories named and chosen by user, entries can have a clickable URL in plaintext, unlimited data base size, uses 448 blowfish encoding, much, much more... ...and it is free. My passwords are very complex. It can generate passwords comprised of upper case, lower case, symbols, digits, user defined characters of up to 56 characters in length. If you use Gibson's password generator for your WPA2 key you can paste it into the field and save it.
I used to use Oubliette [ http://www.tranglos.com/ ] which has since apparently recovered its poise, but the mechanics of change bore me. Also some people use 'cloud' password systems, integrated into their browser. This is of no use when the system is not working and you need to open a file on your HD. In the same vein, I would never trust anyone with my passwords, just as I would never trust them with the data I keep on several TB of HDs. There are some uses for the cloud, but limiting it and keeping it in its place is the act of a wise user.
I can't believe how many of these big firms are storing passwords in plain text. The first thing I did with the first online project I got involved with back in the 90s was encrypt all the password fields that had been plain text. I was fresh out of high school at the time. Explain to me how it is that a programmer with basically zero experience knows better than to use plain text passwords but all these big corporations can't seem to figure it out.
"I can't believe how many of these big firms are storing passwords in plain text. The first thing I did with the first online project I got involved with back in the 90s was encrypt all the password fields that had been plain text. I was fresh out of high school at the time. Explain to me how it is that a programmer with basically zero experience knows better than to use plain text passwords but all these big corporations can't seem to figure it out."
Meheh. Some people say the rot set in with OOP, which encourages programmers to be lazy with resources and slack with security. On its own perhaps not, but the original Windows share and enjoy philosophy seems to have interacted quite nicely with it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
