Google

2009-07-08

Passwords

Recently, I encountered a common issue in programming. My perl application needs to use a service account to pass some parameters to another application. One of these params is a password. So, question is how do I pass the password to the other application while securing it from people who can view the source code...

I will not go into details of the solution I came up with but discuss the "password issue" we face everyday. In today's world, almost every site requires username/pwd, give you the same simple password recovery options etc.

So, if someone is trying to hack into your account; the first thing they will try is the 'password recovery' option of the site. Some sites allow you to create your own question; but most don't. The answer to these common questions may not be that difficult to find out considering how much of our information is exposed.

What's worse? It's common knowledge that people use the same password most of the time on web sites. Assume you have a password and make it unique for each site. Much better safety but that approach is not fail-proof either if you think about the possibility that a couple of your passwords may be exposed and someone may figure out your system...

How about using a say MD5 (now broken and not safe) or SHA1 hash instead of password? Well, good thing about hash is that it's one way function. So, if you are not using the same password; then the hashes you will use will be unique for each site.

Sounds great; right? Guess what? Most sites; even the very respectable financial ones have restrictions on your password that will make them quite unsecure.

Take a look at Microsoft's often cited "Strong Password: How to create and use them"

Following is from American Express Password Change Page:
Your Password should:
  • Contain 6 to 8 characters - at least one letter and one number (not case sensitive)
  • Contain no spaces or special characters (e.g., &, >, *, $, @)
  • Be different from your User ID and your last Password
Check any password you create with these rules against Microsoft's Password Checker
Not surprisingly; you cannot get a strong password with these restrictions.
Only 6-8 chars, and not even case sensitive?
You cannot use any special characters??
What were they thinking ???

How about storing passwords? Well, long story short; it seems that Passpack is leading the pack. Check that one out...