So with everyone talking about it I guess it’s time I add my 2 cents (without saying anything others haven’t so feel free to stop reading ;).
I am a victim myself, having my password stolen at 3 different sites (League of Legends, last.fm, LinkedIn) and I am actually fairly certain that the password was the same on all three, as was the email adress I signed up with. My wife’s LoL account was also hacked and since her email account had the same password as her LoL account it was used to send spam emails until hotmail closed it.
Obviously I’m not concerned at all about any of the accounts being compromised. Both my LoL account and my Last.fm account were throwaway accounts with no value to me at all, which is why the password was probably one of the very first that was recovered (6 letters). My LinkedIn account either had the same password, or a slightly more complicated one with 8 characters that include letters and numbers. My LinkedIn account had a little bit of personal information but also nothing that I would really be worried about being available for anyone on the internet (given that it isn’t already).
My wife’s accounts were throwaway accounts, which means a LoL account with near zero value to anyone and an email adress that was used to sign up to throwaway accounts with, obviously also without value.
What I’m trying to say here is that, as most people know, it’s impossible for everyone without an eidetic memory to have exactly one secure password (letters/numbers/special characters, or something long enough to not be hacked such as 4 different words) for every single account you create anywhere. I can not even count the number of accounts for websites, applications, email accounts, etc. that I own. Therefore, as i have said before, I use the same password for everything that has zero value to me. Years later I still know that password. I also use the same password for things that have near zero value to me (hassle of getting the account back, etc. no monetary value to anyone). I use two factor authentication for pretty much anything that has real value to me.
Now that I’ve written a whole post about how stupid I am with passwords I guess I should get to the point I was trying to make.
I have written about how to hash passwords before and it is not only sad but inexcusable how relatively big companies are handling your passwords. I think that every site that wants you to make an account would educate users on password security rather than having arbitrary rules about what needs to be in a password you pick. I think that you should have complete freedom in what you want your password to be. If you think “1234” is secure enough for the account you’re signing up for I think you should be able to. However, I think it’s pretty retarded that some companies are saving passwords in plain text (plentyoffish used to send the password used to sign up with every email they send you…. in plain text), some companies are saving passwords with a single MD5 hash (which these days is almost plain text), and some companies are saving passwords with a single SHA-1 hash.
As this post shows it’s fairly useless to use a static hash (they didn’t even do that), since you can not look for collisions in SHA-1 anyway. To crack all the LinkedIn passwords by hashing passwords and comparing them to the hash they stole. Had a salt been used it would have not increased the time or difficulty to find out the passwords. However, even just using the username as a salt to hash the password of every user would increase the difficulty of cracking the passwords so much that it’s probably not worth it to try. To find out the passwords you would have to brute force/dictionary attack every single users password by itself, even if it just takes a minute per password they would need over 10 years to crack 6 million of them. So 6 seconds per password means a year total. Now if you don’t hash the passwords once but 500 times you would obviously increase the time to crack a password by 500 times.
A last point I want to make is that it’s fairly easy to change the method you’re using to store passwords. Assuming you have one table that stores a username and a password of every person using your site you could just add a new column to the table for the new method of storing passwords (this commentary suggests PBKDF2). Then you change your login checking function so it checks if there’s a value in the new column already and check the password against that, obviously using the new method of hashing passwords, and if it’s not, check it to the old value, calculate the new hash and immediately delete the old hash. Then depending on how often your users log in you’ll have most passwords stored securely within days or maybe weeks. You could then send an email to all of the people who haven’t logged in in a while asking them to log in, or have a flag in the DB that sends a password verification email the next time they log on, and just delete all the old hashes.
But the main question remains: I have not written anything that’s not common knowledge by anyone who’s even remotely security conscious and yet some fairly big companies just are not listening. They really should know better. We can just hope that the remaining companies that haven’t changed their hashes yet will do so in the very near future. This especially goes for people who make software for other people to use (pbpbb ???).