Halvor William Sanden

Scramble ramble: Passwords, salt and hash

Passwords should be set, not sent – and other things I thought about when someone talked about password-emailing as a natural part of the user registration. I'm no security expert, but that's a big no-no.

Only the user should have the password #

A password can't be secure unless it has been set by the user, it doesn't matter if it's at registration or if it has been forgotten. Online stores, banks, email providers, no one should have passwords on record. If the password is sent to the user, it means that it's available on the server and now in the message, as cleartext. Which means unencrypted, regular text like this. To add to that, email is generally a pretty unsafe method of communication.

How passwords are recognised #

The password is never matched to the password itself. The places we log in to, hopefully, store only a hash of the password. An encrypted representation that is, simply put, scrambled through ramble. A mathematical tool takes the original and makes it into something much more complex made to be very, very difficult to convert back to the original.

In order for the user to log in, the password input is passed through the same one-way scrambler before it gets matched to what is stored in the database.

Salt #

Salting is adding random characters, almost like an additional second password onto your password before the scrambling it. Which means that the hash is unique even if you use the same password on different sites or someone else uses the same password as you. When you log in the salt is added to the input before it is scrambled and checked against what's on record.

Unsalted hashing means that the input is scrambled into the same hash every time. All services using the same encryption will store the same hash for the same words. Which means that if you use the same password in more than one place, the hash will look the same, and if someone else uses the same password, it will look identical to yours. Pretty easy to decrypt, pretty insecure when leaks and breaches happen. For instance, "potato" will always be hashed into 8ee2027983915ec78acc45027d874316 using md5, and it can easily be decrypted. Check for yourself.

It doesn't matter if the other services have good encryption when someone's got your password. Luckily it can be changed.

Remembering and managing #

It's better to write down unique passwords than re-using one everywhere just because you can remember it. Notes can be locked away, hidden or even scrambled – and manual encryption isn't a new thing.

Passphrases can be a fun way of making something that is easier to remember and potentially more secure than plain traditional passwords.

Password managers are great, as long as they are properly encrypted. The built-in managers in browsers are crap. They tend to store passwords in cleartext. Although I think this will change and more secure one will become a standard browser feature in the near future. The problem might be syncing across different browser brands and units.

Biometric authentication #

Biometrics are not passwords. Biometric authentication is about identification. It grants access for you only, passwords grant access for anyone. That is until someone gets access to or replicates your biometric records. Then it's much, much worse than all the leaked passwords.

Passwords can be changed, biometrics can't. When using biometrics it's like setting the same password everywhere and not being able to change it.

Also, my brother managed to unlock my computer once using the fingerprint scanner.