Back to Top

Tuesday, September 26, 2006

Password security on popular sites

We use (and sometimes reuse, although we shouldn't) passwords on the web every day. There has been so much talk about password security lately that the least we should expect is that the big sites have proper passwords policies. I will single out two of them here:

  • digg.com – I've tried to register with them a couple of times, but was deterred by the following message: Sorry - only the characters a-z, A-Z and 0-9 are allowed in passwords. This makes me think that they store their passwords in cleartext in the database or something, because I see no other reason for this arbitrary restriction.
  • blogger.com – Yes, the very service I'm using now. When I've registered yesterday I used the usual password generation algorithm an generated a long password with special symbols. Everything went fine, until the next day (today) when I tried to login. So I used the password reminder feature and learnt that the maximum password length was 20 (I used a password longer than that). This again leads me to believe that my passwords are stored in a database field in the cleartext (which probably has a size of 20 characters).

What I would like to ask the web developers:

  • Only store the hashes, or better yet the salted hashes of my password
  • Allow me to choose an arbitrary password with arbitrary characters (or if you want to limit for practical reasons use sensible limits like 255 ASCII – the original 7 bit ASCII – characters). If you store hashes the real length of the passwords has no effect on the data you have to store (it will be the same every time).
  • If you have a limit, specify this and use the correct HTML attributes to signal this to the browser (like maxlength for the input elements)
  • Update: As a commenter pointed out, you should transmit the password through HTTPS / SSL. For this it is enough if the target of the form is encrypted, the page the form resides on musn't be encrypted and you are 100% secure (from a packet sniffing point of view), still it probably gives a good feel to users if the main page is also served over HTTPS (and probably it's not that big a performance hit, especially with persistent connections. However remember that no encryption will protect you from spyware which installs itself directly into your browser (as a BHO for example).

Update: Please note that I don't know whether they store my password as cleartext, as hash or salted hash. There might well be other (historical, security) reasons for the problems I've mentioned. I've personally used the password reminder feature of Blogger, and they've sent me a link using which I've could change my password - so I have no evidence regarding the method they use to store passwords, and I've never used this feature on digg. But my point was that they are limiting my security (or improving it, if you consider impossibility to log in an improvement :-)) by a choice which has no well founded reason.

Update #2: Blogger is now offering the posibility to log in with your google account (just go to beta.blogger.com) which is not subject to the restrictions mentioned above.

Please...

2 comments:

  1. Anonymous3:54 PM

    Stating password fields that only allow characters a-z, A-Z and 0-9 must mean they are stored in clear text in the database, is really stretching it I think.

    There maybe other considerations. Maybe they are trying to prevent forms of injection attacks, by limiting types of characters that can be inputted???

    I have never signed up for digg or blogger, but the obvious way to find out if they are storing their passwords in clear text is to check out the password recovery options. If they send out the original password in an email then they are storing it in clear text.

    One of the more important items regarding the input of passwords is to use ssl. What’s the point in storing passwords as salted hashes, or utilising other security methods, if it’s not sent over ssl in the first place.

    ReplyDelete
  2. Biometry by itself is not better than passwords. In fact they are worse: they can not be changed.

    ReplyDelete