Digital Squirrel

This is my web site. When I have something to say, this is usually where I will say it.

Matasano Chargen: Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes

I don't know much about crytographic hash functions, but I do know just enough to understand that storing unsalted MD5-hashed passwords in a user database is a really, deeply bad idea. And yet, smart people who should know better still code very popular web applications that do exactly this. I guess the line of thinking is that your "JoeBlog3000" script that you wrote during spring break won't be used for anything truly important, so even if its password database gets stolen and cracked there's no real harm done. Too bad for me though if I had an account on JoeBlog3000 and my password gets owned. Now the attacker can cruise other systems trying out my password on other accounts that might be mine. This could be moderately inconvenient if I end up losing some message board accounts, or it could be devastating if the owned password happens to be the same one I use to access my bank account. So now I'm forced to remember several different passwords, sorted by how sensitive are the accounts protected by each. That sucks.

I want to write web applications, but I don't want to be part of this problem. So how do I securely store user passwords? The problem is that secure password storage is closely related to cryptography, and cryptography is hard. Really hard. So hard that it is difficult to find information about it that is both reliable and accessible to non-experts. Most of what you'll find in a Google search is well-intentioned but almost totally useless for all the questions it leaves unanswered. Does double-hashing makes your passwords significantly more secure? How about triple- or quad-? Does the length of the salt matter? What about doing weird string scrambling tricks on the password before hashing it?

The short answer, from the Matasano Chargen link above, is you should never write your own password system, ever. In hindsight I feel silly for not realizing this after having already absorbed the lessons of "never write your own input validators, ever" and "never write your own database abstraction layer, ever". Basically by 2008 almost any problem you could ever have in web development has already been had by lots of other people, solved by a few very smart people, made available for free, and picked over by hundreds of other smart people. Favoring your own solution over this depth of experience looks like hubris, and it just begs for one clever attacker to exploit a single bug that you alone failed to find.

Is there, Lord, any of soul so great, and cleaving to Thee with so intense affection (for a sort of stupidity will in a way do it); but is there any one who, from cleaving devoutly to Thee, is endued with so great a spirit, that he can think as lightly of the racks and hooks and other torments (against which, throughout all lands, men call on Thee with extreme dread), mocking at those by whom they are feared most bitterly, as our parents mocked the torments which we suffered in boyhood from our masters? For we feared not our torments less; nor prayed we less to Thee to escape them. And yet we sinned, in writing or reading or studying less than was exacted of us. For we wanted not, O Lord, memory or capacity, whereof Thy will gave enough for our age; but our sole delight was play; and for this we were punished by those who yet themselves were doing the like. But elder folks' idleness is called "business"; that of boys, being really the same, is punished by those elders; and none commiserates either boys or men. For will any of sound discretion approve of my being beaten as a boy, because, by playing a ball, I made less progress in studies which I was to learn, only that, as a man, I might play more unbeseemingly? and what else did he who beat me? who, if worsted in some trifling discussion with his fellow-tutor, was more embittered and jealous than I when beaten at ball by a play-fellow?

And yet, I sinned herein, O Lord God, the Creator and Disposer of all things in nature, of sin the Disposer only, O Lord my God, I sinned in transgressing the commands of my parents and those of my masters. For what they, with whatever motive, would have me learn, I might afterwards have put to good use. For I disobeyed, not from a better choice, but from love of play, loving the pride of victory in my contests, and to have my ears tickled with lying fables, that they might itch the more; the same curiosity flashing from my eyes more and more, for the shows and games of my elders. Yet those who give these shows are in such esteem, that almost all wish the same for their children, and yet are very willing that they should be beaten, if those very games detain them from the studies, whereby they would have them attain to be the givers of them. Look with pity, Lord, on these things, and deliver us who call upon Thee now; deliver those too who call not on Thee yet, that they may call on Thee, and Thou mayest deliver them.

-- Saint Augustine, Bishop of Hippo