[Cryptography] Possible reason why password usage rules are such a mess
Arnold Reinhold
agr at me.com
Fri Nov 20 16:03:35 EST 2020
> On Nov 20, 2020, at 3:19 PM, Kent Borg <kentborg at borg.org> wrote:
>
> On 11/20/20 11:57 AM, Arnold Reinhold wrote:
>> That is why we need some requirement that services that use password authentication disclose the measures they use to store password validation data, or maybe some seal of approval that guarantees the meet some minimum standards, in particular something better than fast hashes, which are no almost useless.
>
> Down that road lies a lot of territory…
>
> Whether, say, passwords are even required! Didn't T-Mobile recently have a problem where once logged in a user could change an account number in the URL and access a different account? Isn't S3 data routinely discovered sitting around unprotected?
>
> Regulating around password storage feels like a narrow concern.
>
> There are *so* many ways to build an insecure system, and there is *so* little regulation about the building of these systems. First, can we regulate our way out of this insecure mess? If we can, is this really where to start?
>
One has to begin somewhere. And poor storage of password validation data is a major vulnerability. For starters, I am suggesting transparency and self-certification, not regulation. We already have regulation in many jurisdictions requiring prompt notification when data is compromised and the associated costs to enterprises can be quite high. So there is an incentive to do things right, which needn't cost that much anyway. What is lacking is clear standards. Most developers seem to know they should use a hash and many know about salt, but most think SHA-256 is perfectly adequate, when it isn’t.
And yes there are other vulnerable areas to address. Password reset answers are orders of magnitude easier to guess or recover from hashes, for example. But that is another discussion (see https://www.researchgate.net/publication/318721386_Safer_Storage_and_Handling_of_User_Answers_to_Security_Questions e.g.).
Arnold Reinhold
More information about the cryptography
mailing list