Do Not Store Passwords as Plain Text

by Christopher Flynn — Thursday, August 27, 2009

Hacker News has a story about a christian dating site that was hacked. A couple of things went wrong but the biggest thing that amazes me is that people still save passwords as plain text. Oh and someone used this list to hack into some facebook accounts. This is why people recommend using different passwords on different sites.

One way sha encoding is easy to do. Every language I've used has libraries that makes it easy. At the very least use md5 with a salt, there's no excuse. The worst part is that as an end user, there's no real way to tell how a website is storing the password. If they allow you to view your password then that's a hint but just because you can't see your current password doesn't mean that it's not stored as plain text.

Most of the time I develop with Django and use their auth system. It's easy to use, flexible and secure. Before I started using Django and even a few times having to integrate django into an existing system, I've had to code this stuff by hand and it's really easy to do. It's typically just a function call like sha1(password+salt) where password and salt are your two variables. You store the encrypted password and when a user logs in, you just compare what they typed in, encrypted with the salt to what's in the database. If it matches, let them in. The salt can go before, after or even in the middle, you just have to be consistent.

There's no excuse for plain text passwords!

Hide 1 Comments

Comments

Posted on: Monday, September 14, 2009 - 09:24 AM

mcdonalds coupons

Thank you very much for that awesome entry.

show comment form

Name:

Email address:

URL:

Comment:

If you enter anything in this field your comment will be treated as spam: