Unfortunately I have been extremely busy and have been neglecting some of my things which I wanted to do on this here site, primarily my authentication system. Not too long ago I wrote a post on password security and storage.  I have become very security conscious in the past couple years, staying on top of ways to secure data stored in databases, primarily securing passwords and other sensitive material. I voiced my opinion that sites should NEVER store passwords in an unencrypted fashion (plain text) or even a form of encryption that is easily undone. I know this can be a pain in the butt, but unfortunately it’s a necessity now days to secure your client’s data. Today I received an email from the Mozilla Store, warning me that their site had been hacked. Allow me to share this email with you. (I have highlighted the scariest part in red)

August 05, 2009

Dear Valued Mozilla Customer:

It has been brought to our attention that the Mozilla Store www.store.mozilla.org has had a security breach. We take all security breaches very seriously, and are working hard to determine the extent of the violation. In the meantime, the site has been taken down as a protective measure.

At this time we do not believe any credit card information has been compromised. However, some Mozilla Store customers’ user names and passwords have been exposed. It is our strong recommendation that all Mozilla Store customers proactively change their user name and passwords for their Mozilla Store account and all other accounts that use the same information. We will not bring the site back up until we are confident that we have addressed all security issues. A notification will be sent to you when the site goes back up.

GatewayCDI apologizes for any inconvenience this may cause. We value our customers and their online security is a top priority to our organization.

Sincerely,

Conrad Franey
Chief Marketing Officer
GatewayCDI

There are 3 major things I’d like to discuss about this. The first is the obvious, if they had used safe storage techniques; the probability of their password list being compromised would have been practically eliminated. I cannot stress that enough, if a password is in the database as plain text, it will be compromised, I know that means you can’t just send a user their password when they forget, but that’s ok… it’s not a huge hassle to change a password. The second topic is users that “use the same information”. Granted, most of us are guilty of this at some point or another. We all have favorite passwords that we like to use. I personally try to make classifications of passwords for different types of sites, but sometimes I find myself using a “default” password out of habit. Please, people, one of the best ways you can protect yourself on the internet is to use different passwords. If not for everything, don’t use the same password for sites like facebook, myspace, or twitter that you would use for your bank or email account. The third MAJOR topic that I feel needs to be discussed is in regard to that first sentence that’s highlighted in red. “At this time we do not believe any credit card information has been compromised.” This should not even be a fear. Under no circumstances should you store your credit card on any sites database, and under no circumstance should any site store it without your asking. After a transaction is completed, the only thing that should remain is the authorization number, order number, and the last 4 digits of the card. That is all the bank and the company should EVER need to look up a transaction. Verifying identity using a credit card number is a terrible thing, and any company that does so should be avoided. I am hoping that the reason they do not believe any credit card #s were stolen is because they don’t store them… but only time will tell.

Ok, enough ranting and raving from me. I have spoken my mind on this topic, now I will shut up and let you all get back to your days. Just remember, sites do not always practice safe storage procedures, so the best protection from identity theft is still your common sense, so use it!

There are several techniques used for storing passwords; some are very good, while some are downright terrible.  Without mentioning the name of the organizations (for security purposes), I am, and have been associated with 2 groups that, without a doubt in my mind, store passwords in an extremely insecure manner.  And of course, they’re not alone.

It is easy to spot an organization that stores passwords either completely unencrypted or encrypted using a method that allows for decryption easily.  One method to spot this insecure behavior is the ability to “recover your password” without the need of resetting it.  If you can recover your password, then someone else can easily access it as well (with the right tools).  Another method is one to spot carefully… it’s not to fear when a company requires your password to be different from your previous X passwords, but when they also look for similarities and judge your password to be “too close”.  This may come off as being a very secure tactic, when indeed it must mean that they are storing not just one, but several old passwords in a way that would make them, once again, an easy target.

So now we know some things to spot visibly that should throw up some caution flags.  What else is there to know.  There are methods of storing passwords that are more secure.  For instance, storing a “hash” or checksum of a password using an irreversible, or one-way, algorithm is a good start.  There are several hashing methods out there, some of which are better than others, but before we continue, allow me to explain what a hash is and how it can benefit secure data storage.

Read the rest of this page »

I thought I’d take a few minutes to go over the basics of what I’m going to be accomplishing over the next few weeks. I plan on guiding everyone through some of the basics of building your own user authentication system. This will include many segments varying from storing password information securely, user registration (and required information), password recovery vs. password reset, analyzing security vulnerabilities, possible applications and a wide variety of other topics that could possibly go along.

I will be starting off with a very basic set of security rules that you will need to keep in mind in order to maintain a secure list of users and password information. Without going in to further details, I can’t stress enough the huge mistake that many authentication systems use by limiting the size, type, and strength of a users passwords as well as the mistake of how the information is stored. I plan on analyzing a few preexisting systems and show some fundamental flaws associated with them, and provide tips to help safeguard your data from any unwanted guests.

Please be sure to check back soon, as I will be posting in the next few days.