Jun 8, 2009

Finding Software Insecurities through Password Policies

There are a few main security strategies to consider when using password controls within an application:
- Users should always be forced to use fairly complex passwords
- Unless used with legacy software, passwords should always be salted and hashed (even encryption doesn't cut it as there are no other valid reasons besides legacy software that mandate that passwords must be recoverable)

Earlier I landed on this blog post by Johannes Ullrich from the SANS Institute. The bit that I like the most is:
Usually, if a site is imposing [maximum] limits to your password, like the length or it doesn’t allow certain characters, you can guess that your password will be stored in the clear.

The reason is simple: If the password is hashed, then it doesn’t matter how long it is, or what characters it uses. It will always end up as a fixed length hex string.

No comments: