Saturday, December 16, 2006

Passwords...

Wow, cannot believe it.  Ok - someone has a database - with all of the passwords for their application accounts stored in it - in clear text. And the database gets stolen.

First thing I had to do was see what password I used for reddit.  Just to make sure it was not my "top secret" password.  I have about 5 levels of passwords I use, depending on how I deem the level of protection I need.  My lowest level passwords are known by perhaps other people than myself - but the higher ones are not.  And the highest level password I use (eg: the one that locks my laptop - without it, many of the other passwords are not as useful), I use on only a few trusted systems and never give it to anyone and have made it as strong as I could.

Anytime we give our password to a web site - we have no clue what they might do to it.  When I heard about reddit - first thing I did was check what password I was using (the lowest level, I wasn't worried about a great threat, no credit cards or anything attached with that one).  Now I'll have to find a new low level one, but at least I feel a minimal level of intrusion.

I've written about this myself from time to time (to time....).  Let's face it developers - unless you are writing some sort of password vault - you do not need to store the password for an application.  And if you do, at least encrypt it - and when encrypting it do so with a key that is stored no where near the actual database (or use transparent data encryption in 10gR2) - to protect against theft like this.  Do not even consider storing the key in the database, that would be "not smart".

POST A COMMENT

18 Comments:

Anonymous David Aldridge said....

Most extraordinarily it seems to have been a deliberate design decision ... http://reddit.com/info/usqe/comments

"Personally, I prefer the convenience of being having my passwords emailed to me when I forget, which happens from time to time since I use difference passwords everywhere.

Not hashing was a design decision we made in the beginning, and it didn't stem from irresponsibility-- it stemmed from a decision to provide functionality that I liked.

It bit us in the ass this time, and we are truly sorry for it. The irresponsibility (and there is some) was allowing our data to get nabbed.
"

Sat Dec 16, 10:25:00 AM EST  

Blogger Niall said....

I seem to recall Howard Rogers being in discussion with an isp who had taken the exact same design decision.

We choose to be insecure. We like it that way. A very odd design decision. I'd much rather people said that they just hadn't thought.

Sat Dec 16, 11:44:00 AM EST  

Anonymous Kevin Closson said....

I like the freely mixed usage of the terms database and plain text. I didn't know text files were called databases these days :-)

Sat Dec 16, 01:27:00 PM EST  

Blogger Peter K said....

Isn't this akin to throwing the baby out with the bath water?

In hindsight, very bad design decision when they could have reset the forgotten password and have the user set a new one.

I like Tom's approach to passwords by associating them with different levels. I use 3 or 4 different passwords and my work password is not used anywhere else and I know a lot of folks uses the same password regardless of which site/domains that they at.

At least Reddit was not a commerce site (I think) otherwise, the compromised passwords could be used for financial gain.

Sat Dec 16, 04:28:00 PM EST  

Blogger Jeffrey Kemp said....

Thanks for alerting us to that one Tom. Now I'm a bit worried about the number of sites that are able to send me my password if I've forgotten it...

Password security was one of the first things I fixed in an internal app we were enhancing - it was originally "encrypting" user passwords (via a home-grown function that XORed the plaintext with a constant). I was new to security so after a few minutes of searching the web decided to hash the passwords and salt with the username.

Sat Dec 16, 06:01:00 PM EST  

Blogger Thomas Kyte said....

... At least Reddit was not a commerce site ...


Ahh, but many people use the same username/password in many places - so it is not necessarily relevant that reddit is not a commerce site for some.

That is part of the point behind my "levels" of passwords. It is not a perfect scheme, but it helps.

Sat Dec 16, 06:31:00 PM EST  

Blogger Alberto Dell'Era said....

salt with the username

And with just a little more effort, you can do vastly better - I've found this article very informative :

Password Salts

Sat Dec 16, 06:52:00 PM EST  

Blogger Tyler said....

Here's a different strategy for personal password management. I'm not saying it's better or worse than other's suggested, but I personally like it.

I use KeePass (keepass.sourceforge.net) to store my passwords. You can have it generate a really secure random password for you and use a different one from each site. Then, simply use the KeePass keyboard shortcut "ctrl+alt+a" to send the correct username and password to the form to login. You can configure the info it sends as well as the name of the window it sends it to. This also shortcuts keystroke loggers if you are worried about those.

This encourages you to use different passwords for each site and also to use more secure passwords as you don't need to worry about remembering them, only the password to open your KeePass wallet.

Sun Dec 17, 05:53:00 PM EST  

Blogger Noons said....

First rule of milsec I was given when working for them: never, ever, use the same password everywhere.
Can't agree more with the different levels of password.

I use one for each online bank account, another for my laptop, another for work and a host of them for online sites. All unrelated. It is really sound, basic security stuff.

Guess which database stores the privileged-user password, unencrypted, in the first 100 bytes of the first datafile?

Sun Dec 17, 06:44:00 PM EST  

Anonymous Anonymous said....

how do you suggest securing the sysdba password?

btw, do you know that reddit was created by a bunch of 20 year olds? Pretty impressive for kids. There is blog site by a guy who provides funding for kids to run startups. www.paulgraham.com

Mon Dec 18, 09:19:00 AM EST  

Blogger Thomas Kyte said....

sysdba password - don't have one if you don't want one. but if you do have one - what issue do you have with "securing it"?


And that they were a bunch of 20 year olds might help explain what happened.....

Mon Dec 18, 09:54:00 AM EST  

Blogger Phil said....

I have a unique login for each site; password management is a bit of a disaster because I try to keep one for each site. Having "rings" is a great idea.

It just occurred to me. When you register for a website, immediately click the "forgot my password" link. If you get your password back, run away.

Tue Dec 19, 05:52:00 PM EST  

Anonymous Anonymous said....

I retired 10 years ago. I am 75 now. Started spendng all day on the Internet and when I was interested in a site that needed a "Sign On" I would use a password. Unfortunately being an idiot I was always using a different password. Now my system has who knows how many. Is there anything I can do to access every lousy password in my system and change them all to possibly one complex password ? Thnank you.

Fri Jan 05, 07:06:00 PM EST  

Anonymous Harrison said....

I remember a story on passwords from a few years back. An intern was working at a firm where an engineer was coding a cracker program. After the intern went back to school, he got the finished cracker program and tried it out. It logged in as him in a few seconds. Stunned, he wrote the author and asked how it had happened. The author asked him, "Did you play Dungeons and Dragons when you were here?" Moral: don't use a "good" password where there is no password security.

Sat Jan 06, 02:02:00 PM EST  

Anonymous Anonymous said....

Dear Tom,

I am new to Oracle. What are the diffences between Oracle 10G on Mac OS 10 and or VS. Oracle 10G on Windows systems or a Windows with SSH to access Unix server? Are the any advantages for Mac users?

Thu Jan 11, 01:36:00 PM EST  

Blogger Thomas Kyte said....

Oracle is Oracle pretty much.

Thu Jan 11, 02:40:00 PM EST  

Blogger Spacerguy said....

Everybody needs to use unbreakable passwords. The hackers are doing all sorts with computers these days and its just fun to them. So make sure to use unbreakable passwords.

Wed Feb 14, 04:35:00 AM EST  

Blogger Jerry said....

what is the latest one in oracle? can we have a world of no password at all? that would be anarchy i guess.

-------
tarzanboy
Put The Message Where It Matters! A New Way To Advertise On Social Networks! http://www.widecircles.com

Thu Jun 12, 02:29:00 PM EDT  

POST A COMMENT

<< Home