Password Interlude in D Minor

While at least one previous post here castigated poor password security, a few others have tried to approach the problem in a more constructive manner. Each of these posts share fundamental themes: Protect the password in transit from the threat of sniffers or intermediation attacks — Use HTTPS during the entire authentication process. HSTS is better. […]

LinkedIn, HashedOut

Linked-“Be great at what you do”-In, bringing you modern social networking with worse password protection than 1970s UNIX. Not only did LinkedIn avoid a robust, well-known password hashing scheme like PBKDF2, they didn’t even salt the passwords. Something FreeBSD programmers have been doing for years. It also appears some users are confused as to what constitutes a […]

So You Want to Hash a Password…

Congratulations. You’re thinking about protecting a password; a concept that well-known1 sites, to this day2, fail3 to comprehend. Choose an established, vetted algorithm (SHA-256 would suffice), include a salt (we’ll explain this a bit later), hash the password. Get rid of the plaintext password. Done. See how simple that was? There’s even Open Source code4 […]

The alien concept of password security

A post on Stack Overflow1 seeks advice on the relative security between implementing a password reset mechanism that emails a temporary link vs. one that emails a temporary password. The question brings to mind some issues addressed in Chapter 5: Breaking Authentication Schemes of The Book. Stack Overflow questions typically attract high quality answers, which […]