Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I find it really incredible that this companies were so careless. Really. I know that security practices are rare to come by, but come on! LinkedIn, eHarmony and last.fm! These are some of the biggest websites.


I'd argue that security practices are not that hard to come by:

https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet


This page, when I read it a couple days ago, was pretty bad.


What reference would you recommend instead?


Coda Hale's page.

http://codahale.com/how-to-safely-store-a-password/

Let's be clear-eyed about this: we're talking about an OWASP page that says the "1-2-3" rules to do passwords well are "use SHA256", "pick a cryptographically random salt", and "iterate the hash".

Well, #1 is a suggestion that makes virtually no difference; your outcome won't be meaningfully worse if you use the (broken) MD5 algorithm than it will be if you use SHA-2.

And #2 is also a suggestion that makes virtually no difference; the (relatively unimportant) attack that "salts" blunt does not depend in any practical way on predicting salt values. Strong salt, weak salt, same deal: rainbow tables stop working, everything else still does.

Rule #3 is the only thing that matters on this page, but, of course, simply iterating your hash 64,000 times is an inferior solution to PBKDF2, bcrypt, and scrypt.

This page is a wiki, and I called it out on Twitter a day ago so the odds are some of this stuff has been "addressed"; but, I thought about taking a stab at fixing up the page and realized I'd be trying to incrementally improve that 1-2-3 advice. And, to the specific point of this thread: whatever better advice is there today, it wasn't there last week for LinkedIn or eHarmony to take advantage of.


I meant that are hard to see implemented on websites, not hard to find. Sorry


I would be very surprised if this sort of problem is not quite widespread among companies with giant userbases.

We'll see more of these, and bigger ones.


Microsoft Active Directory servers store passwords as plain MD4 hashes. http://16s.us/ms_ad_hashes/

These servers are used by governments and large organizations all over the world.


I would like to assume that the REALLY big companies like Google, Microsoft, Apple, Amazon, etc. can figure out how to effectively store passwords. While I acknowlege that Active directory is a bit different from a web service, if this can't be realized, god knows what's happening with the other 500 sites we all have accounts on (that invariably use shared passwords: http://xkcd.com/792/ ). I really love it when I get password reset emails with my original password in plain text.


Discussing hashes internally with Commander Adams, among the reasons we use unsalted hashes for internal passwords was that Google Mail for Domains (with which we use an SSO tool) doesn't work with salted hashes.

Or should I be siccing Krell monsters on the good Commander again?


Exchange email systems have web interfaces. They typically authenticate with AD.


Yea it dates back to the beginning of NT (which is why it is MD4) and by now this hash is used in so many Windows protocols it is hard to change.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: