Should I even hash passwords in this situation?

views:

187

answers:

+3 Q:

Should I even hash passwords in this situation?

My website doesn't contain too sensitive data. I'm thinking about storing passwords as is because if a user wanted to receive their password by email (if they'd lost it) then I'd be able to send it to them rather than doing anything cumbersome and grueling to users like sending them a new password I created (it's also ineffective).

Should I just store them as is?

+6 A:

The passwords are sensitive data - people use them across sites, you don't want it to leak, or to be visible - not even to you or your programmers.

Kobi 2009-12-28 10:52:43

+20 A:

No, you should hash them. Most users have the same password on multiple sites, so even if your site is not too sensitive there could be other sites with the same username and password that are more sensitive.

If users forget their passwords, send them a new one.

Emil Vikström 2009-12-28 10:52:45

In general I agree with hashing the passwords, though as a web site owner I can't be help accountable (and frankly shouldn't care) if a user wants to use the same password on multiple sites.

Jason Snelders 2009-12-28 10:56:16

I think most users expect you to hold their information secret, including the password. It's in your interest to keep your users happy. It isn't that hard to keep passwords safe.

Emil Vikström 2009-12-28 10:58:29

@Jason - I don't know if you worked with users, but you **cannot get away** with holding them responsible after a leak is found in *your* site. Even if their password was 1234567. No way. They will blame you, and they'd be right to do so.

Kobi 2009-12-28 11:03:45

The thing with users using the same password everywhere is key to me

Jaco Pretorius 2009-12-28 11:42:28

As I see it, with OpenID there's no real reason to force users to create a separate account on your site. Blaming users for using the same password for multiple sites is a cop-out when you're part of the problem (every dinky little site wanting you to create a new account).

Michael Borgwardt 2009-12-28 11:54:48

But what if someone hit the "forgot my password" for another user malevolently? The user would not know about this and would evidently try to log in with his no longer valid password. I imagine that would be a nuisance.

sombe 2009-12-28 17:03:36

+2 A:

No. The password might not be important from your site's perspective, but naive users tend to reuse their passwords. You might be holding, say, a user's bank account password. You should even apply a random salt that is stored with the hashed password (usually as a prefix string), so that the same password can't even be identified across sites or accounts.

Marcelo Cantos 2009-12-28 10:54:20

not-naive users do it as well...

dionadar 2009-12-28 10:57:27

+7 A:

The default answer is YES, HASH (AND SALT) THE PASSWORDS, in screaming caps.

The reason for this is that the majority of users use the same password for all sites that they log on to, so if your site is ever compromised, then all those passwords are out in the open.

David Hall 2009-12-28 10:54:41

+4 A:

I ran a website sometime ago and I can suggest: do not store plain text passwords. Many users use same password for several applications and, if your site is compromised, they will blame you.

Hash your passwords and send a new one, with expiration time, if your user lost it.

Rubens Farias 2009-12-28 10:54:48

Atleast encrypt them and then decrypt when needed. There are quite a number of encryption techniques. Eg DES, Triple DES, TRIPLE_DES etc. Or you can create some simple technique yourself.

I am not sure in what language you are coding but most of the modern programming languages like c#, java already have libraries for encryption. You can use them also.

Aseem Gautam 2009-12-28 10:55:21

You should never encrypt passwords with a two-way cipher; it should be impossible to recover the original. One-way hashes are the established norm.

Marcelo Cantos 2009-12-28 10:56:39

I know. But sometimes the business requirements need the password send back to the user. So my sugesstion was towards a scenario when the password needs to be send back to the user.

Aseem Gautam 2009-12-28 11:05:05

if business requires them to send passwords back, it is the developer's task to explain them why this should under no circumstance be done.

martinus 2009-12-28 11:19:09

If a website sent me back my original password when I lost it (additionally, in a plaintext email), I'd immediately unsubscribe from it because it would mean they're storing it insecurely and handling it irresponsibly.

axel_c 2009-12-28 11:20:22

Well, I am not saying or suggesting that encryption is better or an alternative to hashing. But its better than storing passwords as they are.

Aseem Gautam 2009-12-28 11:25:47

So you would use the same passphrase for encrypting all the passwords, basically giving an attacker the chance to hack _all_ user passwords at once? And where do you store the passphrase? And how do you secure it?

axel_c 2009-12-28 11:29:30

+8 A:

Why the dilemma? You should probably not be developing account management system yourself. Take some standard component of password management, and save yourself debugging and security bugs.

Pavel Radzivilovsky 2009-12-28 10:55:21

Good idea. To take this further - I don't know how normal people react to OpenId, but that would be my favorite.

Kobi 2009-12-28 10:58:25

@Kobi - I'm technically savvy and I don't like OpenID. Why? First of all it's slower to log in as it requires page redirects etc. rather than just an SSL post. Second as I don't really want any OpenID providers tracking all the sites I log in to, and don't want all my site credentials in one basket, I have to go and create a new OpenID for each site I join anyway which is typically slower than registering on a new site. In any case, due to the added complexity over a basic reg form there's no way I'd use OpenID on a consumer-oriented site.

Greg Beech 2009-12-28 11:25:22

@Greg - defiantly. *I* like to login with my openid, but if the users are consumers, this is mostly out of the question. As for "all eggs in one basket" - if someone has access to your mail, they can reset your passwords. In that regard, using your google profile is just as save.

Kobi 2009-12-28 11:58:09

+1 A:

NEVER EVER store your password in clear in the database. And please tell what other websites you developped so I never create an account on them.

chburd 2009-12-28 10:57:12

lol again lol and lol goes on

Deepak Singh Rawat 2009-12-28 11:02:54

no need to go overboard dude, I was just asking.

sombe 2009-12-28 16:49:29

well, i think i forgot some smileys in my messages ;-)

chburd 2009-12-29 08:02:43

Definitely hash them, there is no reason not to. You can even encrypt the password in the user's browser and just transmit the hash, e.g. with the code used here.

martinus 2009-12-28 11:17:49

use openid (http://openid.net/) and dont worry about password management.

Numenor 2009-12-28 12:06:38

ansaurus

tags:

views:

answers:

Should I even hash passwords in this situation?

related questions