Protecting Passwords / #DefaultSecure

2021-01-25 / Steven Davis

Once upon a time, I was a security guy. For real. At NSA even.

It is an easy field to get burned out in. For, the big secret that no one tells you is that (MOST) security isn’t hard or expensive.

The big problem is not brilliant hackers, it is businesses that… don’t know and don’t care enough to do a good job. And that the companies that ship the software that most businesses use aren’t shipped in a #DefaultSecure state.

… kind of like #DefaultAccessible.

Anyhow.

It is quite possible for an online service to make your password MUCH  safer than it is.

(Sorry, I’m going to get a bit technical, here)

Sadly, many don’t even do the bare minimum of having a unique hash seed for each user account.

This allows a bad guy to attack all of the user passwords at once.

(leave a comment if you would like me to go through this)

Default “good password software libraries” for computer languages would help…

BUT, it isn’t too hard to take this to the next level.

You could very cost-effectively “split” your password server and make even bad passwords very hard to attack.

How?

Add a 3rd party (or separate location) password per-proccessor:

Instead of sending the username/password pair to your server to be autenticated, a triple of “yoursite,username,password” or “username,password” if you run your own pre-processor…

would go to the pre-processor server (which should actually be a distinct server (ideally at a different ISP or on a different server to reduce the odds of it also being hacked at the same time).

This processor would not know anything about the password, it would simply expand and encrypt it according to its own algorithm.

For the math inclined:

BetterPassword(userID) = EncryptAndExpand(userID,allegedpassword),OtherCleverStuff(optional).

It does not verify the password, it simply returns a new one that is used by the password authentication system to validate the password.

It will give an answer to any password – good or bad.

This forces an attacker to attack BOTH servers to attack the authentication system… and gets us out of the business of trying to make people make up for poor computer system security.

(end rant)

 


    Posted in

    Steven Davis