Site Notes

RTH Beefs Up Password Security

By Ryan McGreal
Published February 05, 2011

this blog entry has been updated

It's a sad fact of life on the internet that no web server is perfectly invulnerable to attack by malicious agents. Despite the best efforts of server administrators and website developers to make web sites secure, people continue to discover and exploit vulnerabilities to break into online systems and execute harmful programs or obtain private data.

While it may be tempting to assume that some online private data sets - say, your online banking credentials - are more important than others - say, your RTH user account - the problem is that people tend to use the same password on both low- and high-security websites.

If you do this, your online security is only as safe as the least secure website you use, since malicious agents can obtain usernames and passwords from sites with weak security and use those credentials to log into sites with strong security.

One way website developers can mitigate the risk of attack is to encrypt user passwords before storing them in a database. That way, even if user data is compromised, the attacker will end up with a set of obfuscated passwords.

Raise the Hammer has stored passwords this way since we re-wrote the code in 2009. However, it turns out the method we have used for encryption - a salted MD4 hash - is not very secure.

The problem is that the MD4 hashing algorithm is designed to be fast. As a result, a malicious hacker with a reasonably powerful computer can use a brute-force or dictionary attack to defeat the encryption.

Instead of a fast hashing algorithm, which makes it easy for attackers to use brute force, security experts recommend using a more computationally expensive (read: slow) algorithm, i.e. bcrypt.

Effective immediately, RTH now uses bcrypt to store user passwords, via Damien Miller's py-bcrypt implementation.


Update: I tweaked the session management functionality so that pages load more quickly.

Ryan McGreal, the editor of Raise the Hammer, lives in Hamilton with his family and works as a programmer, writer and consultant. Ryan volunteers with Hamilton Light Rail, a citizen group dedicated to bringing light rail transit to Hamilton. Ryan writes a city affairs column in Hamilton Magazine, and several of his articles have been published in the Hamilton Spectator. He also maintains a personal website and has been known to post passing thoughts on Twitter @RyanMcGreal. Recently, he took the plunge and finally joined Facebook.

8 Comments

View Comments: Nested | Flat

Read Comments

[ - ]

By Gurudatt (anonymous) | Posted February 05, 2011 at 05:34:35

spam comment deleted

Comment edited by administrator Ryan on 2011-02-05 10:47:08

Permalink | Context

[ - ]

By highwater (registered) | Posted February 05, 2011 at 08:44:18

Always looking out for us. Thanks, Ryan. Now about that tip jar...:)

Permalink | Context

[ - ]

By UrbanRenaissance (registered) | Posted February 05, 2011 at 09:42:36

Thanks for this Ryan. Though after reading this I've already beefed up all my passwords considerably.

Also is that first comment from a spambot, or a real person making a shameless plug?

Comment edited by UrbanRenaissance on 2011-02-05 10:01:15

Permalink | Context

[ - ]

By Undustrial (registered) - website | Posted February 05, 2011 at 10:13:37

As a general rule, there really isn't anything you'll find on an average computer - windows, wifi, standard website logins etc which aren't horribly insecure. There are much better ways to do it, but ultimately, you'll never be secure.

The best policy is to follow hacking and hackers at least closely enough to know what's really not secure. Cracking WPA with the amazon cloud - that's new (and has frightening possibilities for most encryption). However WEP is breakable by most housepets. It sends the password as a part of packets (data chunks), in pieces. Sit long enough listening, and you've got it.

Permalink | Context

[ - ]

By UrbanRenaissance (registered) | Posted February 05, 2011 at 10:25:34

@Undustrial, couldn't agree more. Everyone has a responsibility to always use best practices when it comes to online security; starting with the developers all the way down to the end user. (I'm looking at you people who use your birthday for every password!) With the exponential increase in available computing power all we can do is make things as difficult as possible for any malicious hackers.

Comment edited by UrbanRenaissance on 2011-02-05 10:27:16

Permalink | Context

[ - ]

By Ryan (registered) - website | Posted February 05, 2011 at 10:57:47

One of the nice things about bcrypt is that you can adjust the work factor for generating keys so that as computers get faster, the the computational load can keep up. That makes it forward-compatible in a way that other encryption techniques are not.

Permalink | Context

By UrbanRenaissance (registered) | Posted February 05, 2011 at 12:14:19 in reply to Comment 59300

I saw that in the py-bcrypt docs. Very slick.

Permalink | Context

[ - ]

By Blutooth (anonymous) | Posted February 05, 2011 at 12:34:45

Comments with a score below -5 are hidden by default.

You can change or disable this comment score threshold by registering an RTH user account.

Permalink | Context

View Comments: Nested | Flat

Post a Comment

You must be logged in to comment.

Events Calendar

Recent Articles

Article Archives

Blog Archives

Site Tools

Feeds