Saturday, August 29, 2009

Passwords

Something that I find tiresome on many computer systems, is having to remember a password; worse still is when the password has to change after a periodic interval. The temptation is to use a common password across many systems, yet this is very dangerous. Now it may be the case that few systems nowadays store passwords unencrypted (although it's surprising that some still do), but it's often possible to break password security and log into your details. This is something to be aware of when coding. For instance, it's often recommended to store password fields as a hash, so intruders cannot retrieve directly the password even with full access to the database. To test that a user knows the correct password you retrieve the stored hash and then check against the password he/she inputs (after converting this password to a hash). Fairly secure? Well no, hackers have built up lists of hash values (normally on what is known as a rainbow table) and can use brute force to try and log in ie automatically try to log in thousands of times until the correct hash value is found. (Or perhaps they can use common tools like John the Ripper to crack weaker passwords). Salting the hash (prefixing a unique value to the password before hashing) makes security a lot safer (although still not 100%) - read here www.codinghorror.com/ ) Any other measures the coder should take? Restrict the number of attempts in one session a visitor can use to enter their password - reading up on the use of captchas is particularly useful here. Ensure that the password is of a minimum length (the longer it is, the harder it is to crack the password); better still enforce the use of non alphabetical characters like numbers or _ or @ or * within the password. Also (and this is commonly overlooked) restrict the in-company access to that database table. Lastly, and it won't make you popular with users, force the changing of passwords after a certain passage of time.
This all leads to the problem of having to remember your own passwords, especially when they keep changing. I personally write some (although not those relating to bank or email log-ins) down in my diary, suitably disguised. Luckily there are various secure password managers out there for example http://keepass.info/ You can find more choices at http://lifehacker.com/5042616/five-best-password-managers - it's also worthwhile searching on Lifehacker using the keyword 'password' to find many useful articles on how to create a strong password, how to be more secure etc.

No comments:

Post a Comment