There are several techniques used for storing passwords; some are very good, while some are downright terrible.  Without mentioning the name of the organizations (for security purposes), I am, and have been associated with 2 groups that, without a doubt in my mind, store passwords in an extremely insecure manner.  And of course, they’re not alone.

It is easy to spot an organization that stores passwords either completely unencrypted or encrypted using a method that allows for decryption easily.  One method to spot this insecure behavior is the ability to “recover your password” without the need of resetting it.  If you can recover your password, then someone else can easily access it as well (with the right tools).  Another method is one to spot carefully… it’s not to fear when a company requires your password to be different from your previous X passwords, but when they also look for similarities and judge your password to be “too close”.  This may come off as being a very secure tactic, when indeed it must mean that they are storing not just one, but several old passwords in a way that would make them, once again, an easy target.

So now we know some things to spot visibly that should throw up some caution flags.  What else is there to know.  There are methods of storing passwords that are more secure.  For instance, storing a “hash” or checksum of a password using an irreversible, or one-way, algorithm is a good start.  There are several hashing methods out there, some of which are better than others, but before we continue, allow me to explain what a hash is and how it can benefit secure data storage. (more…)