I had to explain something to my mom recently and it made me wonder about the number of people that actually wonder what happens to your password once you register for a website.
Until fairly recently the biggest free dating site sent out everyone’s password in plain text in every email. And most people that I talked to didn’t find anything bad in that. The problem with that is that a website you register to should never have your password. They should generate a hash almost immediately upon receiving your password and discard the password from memory. And they should not be able to get your password back, ever.
Not only is it really bad to send someone their old password in the mail, because if they reuse their password (and most people do (i’m also guilty of this)) someone gaining access to someone’s email might have all of their passwords by simply requesting their password from everything they’re registered to and getting lucky. They are also making themselves vulnerable to all kinds of attacks aimed at getting information from their database.
So what do we do if we want to …. have users that have passwords in any capacity at all ?
I now save passwords after hashing the hash of the password 500 times. I will mix in a salt that is different for every user at least 20 times and then I will store both the salt and the hash. Now to get someone’s password an attacker would need to have my code, or at least know when I salt the hash, they will need the hash/salt string from the database, and they will have to brute force hack the password. The whole brute force thing will take too long for anyone to actually attempt due to hashing the password 500 times, which significantly slows down any brute force attempts.
The more sane and possibly easier way to do things would of course be to use OpenID or any other form of logging on somewhere else, so that you can let other people figure out how to make things secure.