Home for HMNL Enterprise Computing

    Password Privacy

    Ian Tree  22 January 2015 17:31:31

    A Reasonable Expectation of Privacy – My Internet Passwords

    A password that I use to access an internet service is my private property there is no valid reason why anyone, including the provider of the internet service that it grants access to, needs to know what my password is. When I attempt to authenticate with a particular internet service the service provider only needs to confirm that the password and identity combination that I have provided are the same values that were used when I registered with the service or last changed the password.

    Passwords should only ever be stored in the service providers credential store once they have been one-way encrypted or uniquely hashed. One way encryption schemes are simple, generate an asymmetric encryption key pair and then throw away one of the keys from the pair use the remaining key to encrypt passwords with a reasonable certainty that they can never be decrypted.
    For authentication the service encrypts the password offered using the same one way key and then compares it with the encrypted password stored in the credential store, if it matches then access is granted to the service otherwise access is refused.

    There are a few implementation details to look out for, as ever, the devil is in the detail. Make sure that all messages containing passwords are encrypted in transport using TLS/HTTPS or similar transport session protection. Make sure that messages containing passwords are encrypted at the highest layer in the software stack after the transport decryption has been applied, make sure that there is no possibility of logging any message containing a decrypted password. Passwords make very short messages to encrypt so ensure that the encryption or hashing message is good at handling short messages; to this end it is a good idea to salt the password with other information from the user credentials to increase the entropy of the message.

    Passwords are still vulnerable to discovery if they have a low password strength as they can by guessed or determined through dictionary attacks; users should guard against the former and service providers should guard against the latter. Users must of course remain vigilant for social engineering attacks that attempt to get them to supply passwords of their own accord. Service providers also need to guard against social engineering attacks against their lost/forgotten password reset processes.

    I first came across this methodology in 1978 and first used it in anger in the early eighties, so it is not novel or unusual but it is discomforting to see how many services do not implement this or an equivalent level of protection for users passwords.