Don't Be an Idiot

by Peter Saint-Andre

2009-05-08

A member of the Jabber community pinged me the other day about Jeff Atwood's rant against plaintext passwords, occasioned by the fact that someone hacked his OpenID password. I got pinged because the jabber.org IM service stores passwords in plaintext, which might be considered a bad security practice.

While I would love to find a solution to the problem of plaintext password storage (more about that later), first I'll make several observations:

So yes the service provider didn't protect Mr. Atwood's password by storing it in some encrypted format, but we can see that there is plenty of blame to go around.

Now, you never really know anything about the password storage methods used by your favorite Internet services. Therefore, if you want to make sure that your password doesn't get hacked, you need to take responsibility for how you choose your passwords. There are easy tools for this, such as Firefox plugins. Personally, I construct almost all of my passwords by typing the following in a terminal window on my Mac:

echo -n "some-string" | openssl dgst -binary -sha1 | openssl enc -nopad -base64

The output is something like this:

AoZMnJ+YYmwPcJyMEMv6/iYuJ4g=

Hack that!

Naturally I don't use "some-string". I use some combination of my username at the service, the domain name of the service, a special word of my own choosing (typically not from the English language), and the current year (this prompts me to change the password once a year). For example, you could use something like this for "some-string":

%username_at_servicename//with_myspecialword//for_2009%

Heck, that would be a fairly strong password on its own. But now if you run it through a hashing algorithm, you'll have a really strong password.

One problem is that some websites don't let you use a long password (e.g., not more than 20 characters) and they often restrict the characters you can use (e.g., no "+" or "="). Sadly, it's often financial websites that have these stupid, insecure restrictions! But that's another story...

Yes, this is a PITA. But is it more of a PITA than having your email account or IM address or online banking access hacked? I don't think so.

Nothing in this rant excuses the other parts of the system that often break down, including people-who-should-know-better -- such as, say, the admins of the jabber.org IM service (c'est moi). More about that in future posts.


Peter Saint-Andre > Journal