User Passwords Are Global, Shared, Encryption Keys
Related Categories: Security
So I just returned from the First Annual Software Security Summit and have security on the brain. I thought I'd post about a little something that's always bothered me - weak protection of passwords in web applications.
Many web applications don't handle much sensitive data. If someone breaks into the (fictional) web application for my mother's quilting guild, quilt-o-rama.com, no-one's going to care that all their quilting patterns have been stolen. They might even care if someone gets a list of all the guild members. However, there is one bit of data stored in this web application that's of value - their passwords.
Let's face it, people don't use different passwords. They should, but they don't. That means passwords become:
A globally shared key that opens all doors.
Now you may be saying to yourself, "But Cameron, that's the user's fault that they use the same password for everything.". Sure, some responsibility does fall on the user. But we all know perfectly well that most people aren't going to choose a unique password if they can get away with it. Therefore we have to be willing to accept some responsibility when protecting our user's passwords.
Since we know people are going to do everything in their power to choose an easy to remember (weak) password, we should protect it. This responsibility falls on us - the application developers. We have become custodians of a huge library of personal keys. Keys that might unlock data at banks, home computers, offices, government records, and quilt-o-rama.com - for most users the key is the same (or very similar) for all of these.
Attackers are always looking for the weakest point to attack. Do you have a site that stores passwords in plaintext? Do you keep up with security bulletins? Do you think no-one cares about breaking into your little boring site? Congratulations, you are the weakest link (goodbye)!
In security circles, this is commonly referred to as "key management". Your bank may encrypt your account data six ways from Sunday, but if the encryption key is easy for an attacker to discover, the encryption becomes meaningless. The data might as well have been in plain text all along. People go to all sorts of lengths when it comes to key management to make sure that the same encryption key isn't used in too many places, that it's not easy to discover, and that it's routinely rotated in case an old key is discovered at some point.
The concept of password management is no different. It's a key, not an encryption key - but a key still. It unlocks information, but unlike encryption keys the same password is often used everywhere, very rarely rotated, and often not very well protected. And your web application's users have shared their keys with you. They have trusted you to keep it safe for them.
You are holding valuable keys. Are you doing your part to protect your user's bank accounts, businesses, and other personal information?
I usually send a randomly generated (and temporary) password to the user and force them to set a new password immediately after using it to login the first time. I also save a timestamp with the temporary password and it essentially "expires" after a set amount of time, after which they have to request another new temporary password.
This same method is valid if you are using an emailed password or emailed link.