Security: Writing Password Protected Applications
Okay, here is something that is very frustrating to me. So many people do this incorrectly and it makes me feel insecure about giving my password to a website. The thing they don't do properly is password management.
In this day of web and hobbiests calling themselves developers, we've found ourselves with tons of accounts at every web property ever, each with a username and password. Users however seldom know how their password will be stored when they supply it. This leads to various simple but dangerous security holes.
Ways not to handle passwords
-
Never store passwords in plain text. Passwords should be stored with one-way hashes (such as an MD5) so that the hashes can be compared when a user enters a password to login. Storing passwords raw in a database not only makes you responsible for everyones lost passwords if someone hacks your system, but also is bad practice because DBA's have full access to password lists.
-
Never send a user their password for "forgot password" workflows. If you do the first, this should be obvious enough. Sending passwords via email is dangerous because anyone can sit down at users machine and open up a web browser history and Outlook; try "forgot password" on a few sites and get the users password to anything. Not very secure.
Proper ways to handle passwords
-
Store passwords with a one-way hash. Storing passwords with a one-way hash allows you to compare the hash against a hash you make when a user attempts to login, but secures the users password from the sight of both a potential hacker or a DBA.
-
Send links or new passwords to email accounts. When a user requests a forgotten password, send the user a single-use link to create a new password, or a temporary password they must change on next login. This will ensure the user can change their password, but the password cannot be compromised by someone with access to their email.