Please note: this is an old post. I have been blogging for a really long time: since my childhood, in fact. Bear in mind that any opinions stated may have changed, any code snippets may no longer be considered safe or secure, and my personal circumstances are almost certainly different to what's contained herein. You have been warned...
I am a PHP web dev with an interest in scripting, security (XSS, SQL injection etc) and WordPress. If you’d like to work with me, get in touch. In the mean time, don’t forget to follow me on twitter and like my blog on facebook.
– – –
I’ve become increasingly aware of passwords recently. Actually, that probably sounds like a stupid statement because everyone is aware of passwords. What I mean is, I’m becoming aware on just how useless they can be in the wrong hands.
A couple of weeks ago I wanted to order some new bedding, a fairly harmless task in itself. The cheapest route seemed to be ordering through Tesco. For those who don’t know, Tesco is a massive supermarket chain selling everything from frozen peas to the “deluxe brown leather padded bridle”. They also do various types of insurance, they’re a mobile phone provider, they’ve branched out into providing savings accounts.. basically they are trying to run the world little by little. They also sell cheap bedding, and so I hooked myself up online in their House & Home section.
After finding what I wanted, I tried to checkout but discovered I couldn’t for the life of me remember my password. I proceeded to the ‘Forgotten your password?’ page expecting to have to touch my nose with my left toe, scratch my eye with my elbow and remember 12 different facts about my life that I may or may not have made up when I originally created the account: because this is what any decent provider does as basic security measures. Usually this ends with me having to come up with a new password which I’ll no doubt forget again in a fortnight, but nonetheless is reassuring and theoretically secure.
Turns out, Tesco.com don’t do any of that. Tesco.com don’t even enforce a “please click this link to verify you want your password” policy which, while ultimately pointless if someone is in your e-mail account, shows some effort in terms of security. Tesco.com sent me my password in a plain text e-mail. My unprotected, visible password. This pisses me off because I know that the chances of Tesco having their own rainbow table hooked up to their user database is slim, and therefore they’re storing my password as plain text. That’s Tesco.com, a multi-billion pound company, storing passwords in a format visible to anyone who wants to break into their database. Might sound infeasible to you but shit happens all the time; oh look, didn’t the British government just accidentally lose the data of 25 million people?
For those not aware, most web-based services hash user passwords in their databases. This can be anything from the common MD5 hash (if you use WordPress, your admin password is md5-hashed in the database) to a salted hash (which, in its simplest use, is a random combination of characters applied to the password before it is hashed). Some use more complex hashing algorithms such as SHA-1. Either way, there is an extra level of protection to your password so if the worst happens and a hacker gets into a database, the passwords aren’t on plain view (except in Tesco.com’s case, they are).
Hashing is unfortunately not absolute. Dictionary words, for example, are extremely easy to “de-hash” and there are hundreds of pages out there dedicated to providing these services. They use what are known as rainbow tables (as briefly mentioned above). Even Google can accidentally facilitate the “de-hashing” of passwords, as in the case of Steven J. Murdoch and his hacker.
If you follow common sense and use numbers and special characters in your passwords, the chance of them being “de-hashed” is much lower. Still, I don’t hold out much hope for sites like Tesco.com keeping my plain text password safe and so in the mean time, I’ll be hashing my passwords myself. Of course, this only serves as a bloody big reminder to use a different password for every site you sign up to, however much of a pain in the ass it is.