The Big Idea : Better Password Hashing

By -
For the last couple of days I have been thinking about how browsers send passwords across the network. I think I have a safer way. I would have to work at Microsoft or Mozilla to get this implemented however, I am content with blogging about it and getting some feedback. This is a line of code that as a web developer I write all the time: 
<INPUT TYPE=”TEXTNAME=”Login/><br />
<INPUT TYPE=”PASSWORDNAME=”Password/>
This HTML delivers the login and password to the browser in clear text. The web application takes the password and concatenates it onto a stored piece of random text (called salt) and then hashes the complete string. This hash is compared with the hash store for that login and if they match then the web application can assume that the user knows their password. If the web developer implemented good security for his system then he never stores the password, only a hash of the salt and the password. The salt helps make every hash unique. Why do web developers hash passwords? Well, most people only have four to five passwords that they use on roughly a hundred sites. If one of those sites is compromised and the password is in clear text then that password can be tried on other sites to gain access as that user. It also limits the harm an employee can cause if they have access to every password. Since you don’t know if the web site you are entering your password into is storing it hashed or in clear text it is in your best interest to change your password for every web site. However, keeping track of all those passwords becomes a maintenance nightmare. If you can’t remember them all you will need to write them down – and then where do you store them to keep them safe? So here is the big idea: Why doesn’t the browser hash the password before it sends it to the web site? This way the user would know that the web site couldn’t store his/her password as clear text because the web site would never get the clear text from the browser. The web developer would just store what they get from the browser, the hash of the password and compare that hash every time the user logs in. If the browser is going to hash the password, it has to know the salt in order to create a unique hash. This is the tricky part. Every user needs to have a different salt and that salt needs to be the same for that user every time. The salt can’t change based on browser, or computer, or location of the computer. The salt must be different for each web site – since having the same salt and password would mean the same hash for every web site which is the same security risk as the same password stored as clear text. My suggestion is that the salt be the domain name of the site concatenated with the login. The domain name and the login are known by the browser when the form is submitted; it is always unique per user and would be the same no matter where they logged in from. Plus each salt would be different for each domain. An evil doer that compromised the web application reading the password hash from the web database wouldn’t know the hash for another web site. Basically it is the same as making the browser generate a unique password for every web site. How would the browser do this securly? How would the HTML have to be rewritten (i.e. how does the browser know which input is the login)? Would the DOM restrict client side scripting from reading the password? These are all questions I don’t have the answers for. However, I do know that password handling on hundreds of web site is going to be an issue that needs solving in the next four to five years. {6230289B-5BEE-409e-932A-2F01FA407A92}

Comments

Post a Comment

Popular posts from this blog

Yet once more into the breech (of altered programming logic)

By -
Once upon a time, long long ago, I wrote 8-bit programs in Tiny-C with absolute addressing being the only reality.  Then we had Borland Turbo-C with relative addresses and the joys of relative assembly jumps. Enter Windows and the joys of locking and unlocking memory blocks that you must allocated and manage yourself. Then came Visual Basic which evolved into .Net CLR and decreasing awareness of what is happening under the hood.   With VS2010 including F# and enhanced parallelism in .Net4, we actually have to go retro a bit – back to the world of having to understand the hardware. CPU speeds are no longer increasing – I have an old laptop from six+ years ago that ran at 3.2 GHz. This year I updated one of my machines off-the-shelf from Costco.com, an I7-920 with 4 cores and hyper-threading (8 CPUs appears in Task Manager) and 12 GB of DDR3 RAM. This week I ordered from Costco a Phenom II X6 (Yes – 6 REAL CORES) for one of my daughters.  This CPU will (according to YouTube demos) o
Read more

Simple WP7 Mango App for Background Tasks, Toast, and Tiles: Code Explanation

By -
Image
This is a continuation of this post , explaining how the sample app works. Caution : This sample isn’t meant as an example of best patterns and practices. If you see something in the code you would never do, then don’t. Solution File Organization The app has three Visual Studio Projects: the app, the agent, and the shared code library between them. One of the great things about Mango is that now the built-in Visual Studio Unit test functionality is available. By separating out the meat of the work into the SampleShared project, I can also focus my unit testing there. SampleApp1 The app has a MainPage, a ViewModel, and the WMAppManifest.xml file modified to note my ExtendedTask of BackgroundServiceAgent. The Agent is extremely simple with a call to the shared library, an update to the Tile, and a call to pop up Toast. The meat of the work is in the SampleShared library. The AgentMgr manages the background agent : add, remove, find, run now. It is only called f
Read more

How to convert SVG data to a Png Image file Using InkScape

By -
Image
Introduction The project required the need to put the visual pie chart on a web page on the client and in a Pdf file created on the server. I eventually choose to use a Telerik Kendo DataViz Chart control on the client, and use a PNG file on the server for the Pdf file. This blog post will explain the process and code to convert the client-side pie chart Svg data to a Png file, and provide a download to the working code. Prerequisites You need to have a trial version of the Telerik Kendo library installed in order to make the sample code work. You also need InkScape installed. InkScape is the application that does the actual conversion. You will need to change the Web.config appSetting of “ExeDirectoryForInkscape” to represent your own installation location. Any SVG Data Will Work The pie chart was created using the Telerik Kendo DataViz chart control. While I name a specific control, as long as you have access to the SVG data, the same conversion process on the server will
Read more