views:

87

answers:

3

I called MediaTemple for support months back and the gentleman on the phone asked me for my password over the phone. I thought he was going to just log in to my account using the web interface, but he was actually comparing it against the version that was right there in front of him. It pissed me off at first (because I used the same password for other hosting accounts, etc), but then I got to thinking about it. If somebody hacks into the database, they don't really need to steal your password at this point.

Other than the possibility of corrupt employees, or a hacker who takes account emails and passwords from the SAAS at example.com and then tries to log into each customer's email account using their example.com passwords (in case they're like me and use the same password more than once), both of which could happen, is there other reasons why a password should be stored encrypted?

+4  A: 

Are these reasons not enough?

The only reason to encrypt any kind of information is so those not authorized to see it will not get to it. Passwords included.

One issue with encrypting passwords is that if one has the encryption key, they can decrypt the passwords without a problem. This is why a better solution is to store a (salted) password hash. There are ways around that as well (rainbow tables for example), but they are much safer.

There are plenty of times where hackers got into a system and stole usernames and passwords, and you are right, many people reuse the same password.

Oded
-1 Passwords should never be encrypted, they should be hashed.
Rook
@Michael Brooks - perhaps you can point me to an authoritative source on why this is the case? I'd like to see a _constructive_ comment from you for a change.
Oded
@Oded, yes of coarse i was writing my own response. You are welcome to read it and ask questions.
Rook
@Michael Brooks - I see you point and updated answer.
Oded
@Oded, I removed my -1, thanks for the good answer.
Rook
+1  A: 

Actually, what you have just described is a vulnerability. A malicious insider is a serious threat to your secuirty and its cool that you recognized that. NO ONE should know your password, if ANYONE finds out your password, you MUST change it.

There are very clear guidelines on how passwords should be stored, They are laid out by the CWE-255 parent id: http://cwe.mitre.org/data/definitions/255.html

Under CWE-255 is CWE-256 which clearly states that storing passwords in clear text is a vulnerability. The next is CWE-257 which states that storing passwords in a "Recoverable Format" is a vulnerability, so if you use "Encryption" it is possible for a malicious insider to "Decrypt" your password and attack you. Also, by not using hashes you make a Web Application more vulnerable to SQL Injection. A common SQL Injection attack is to read the Password hash out of the database, well if you can decrypt the password then a hacker can just login immediately. The idea behind the hash is to force them to break it, which slows down the attacker.

For storing password the sha2 family is currently the best solution. I like sha256, although sha512 is also in the same family and could be used if you are more paranoid.

Rook
SHA1 was broken the first time with a VCR's CPU. I'm not too fond of the ever-growing complexity of the algorithms as a means of finding the holy grail of encryption. I see this as the same as AI. We can never have AI, just more and more complex programs. I prefer salted encryption. Anything that can be engineered can be reverse-engineered, but people can't read somebody else' mind... Yet.
orokusaki
@orokusaki Your correct, SHA1 is broken and it currently only guarantees 2^52 bits. There are no known attacks against the SHA2 family and there for sha256 will give you 2^256 bits of security or 1.15x10^77 which is plenty large for my life time, even taking Moore's law into consideration. Also the use of "encryption" is a recognized vulnerability by NIST, and I could care less if you disagree with them becuase you are wrong.
Rook
@Michael Brooks Whoa there. No need to get hostile. I'm no expert in this stuff, just spitting out what I've picked up here and there. I didn't even know who NIST was.
orokusaki
A: 

Both answers are great, however (mt) Media Temple doesn't store plain text passwords. In November and December of 2009, a major security overhaul was performed. All passwords are stored hashed. Employees can not see customer passwords and authentication is performed using either a short term PIN or via password match since that time.

For your own security, maintaining more than one password should be standard practice. While many people enjoy the convenience of a single password for multiple logins, it is most definitely not a recommended method. A pass phrase that changes in relation to each login would be a more secure method of protecting your accounts online. In addition, periodic changes to your password is encouraged. We all get busy, and for sake of convenience, tend to let personal security lapse at times.

M Handa Support Supervisor (mt) Media Temple, Inc

M Handa