It's secure because it's not on the web!



  • This morning I discovered that our company's flagship app - a debtors system - that is used by multiple clients around the country, including companies that do millions of $ of turnover every month, stores user passwords in plaintext on the DB.

    When I pointed this out to the PHBs, their response was "But the DB will never be exposed on the web". Yet less than a month ago they were discussing writing a web frontend for the same app.

    If security through obscurity is the last resort of the incompetent, then what is no security at all?



  • Isn't storing the passwords as hashes also security through obscurity?



  • @derula said:

    Isn't storing the passwords as hashes also security through obscurity?
     

    No. It's an extra layer of not being an idiot.

     

    Storing them as hashes means if anyone gets access to those hashes, they still have to crack them to get the password. You can crack an individual pw in reasonable time with rainbow tables (sometimes), but if they were properly salted you have to do that for every individual password. That's a lot better than "You got DB access? Take everything!"



  • My point was: what hashes give you is security. How do they achieve security? By obscuring the password. So, there. I didn't mean to say storing passwords as hashes is lame.



  • Well, not exactly. The whole point isn't that you can't read the passwords anymore (that is obsuring, like storing the password backwards). The point is that you can't reverse the process. The only way to know what the password is, is to try every single combination and look for the match. Which takes a pretty long while if you use a good hashing algorithm. Especially if you put a site-specific (or better: user-specific) salt in there before you hash it.

     Hashing is always a good idea. Even if your little app is only used in-company. Users tend to use their password everywhere, so a username+password combination is something you don't want to lose.



  • @ari said:

    The whole point
     

    You are under the mistaken impression that nobody here knows what hashing is or why it's used. :)

    We do.



  • Seeing the kind of stupid answers in other threads, i also can't assume that everybody knows... you still need to cater the less intelligent people. The internet isn't Mensa you know. ;)



  • @ari said:

    Seeing the kind of stupid answers in other threads, i also can't assume that everybody knows... you still need to cater the less intelligent people. The internet isn't Mensa you know. ;)

    What stupid answers?

    Also, the only people in Mensa are egotistical anti-social dicks. It has nothing to do with IQ-- if they were really smart, they'd realize Mensa rigs their test so pretty much everybody gets over 110.



  • @dhromed said:

    @ari said:

    The whole point
     

    You are under the mistaken impression that nobody here knows what hashing is or why it's used. :)

    We do.

    It's not that nobody knows about hashing that's the problem - it's that not everybody knows.



  • @blakeyrat said:

    @ari said:
    Seeing the kind of stupid answers in other threads, i also can't assume that everybody knows... you still need to cater the less intelligent people. The internet isn't Mensa you know. ;)

    What stupid answers?

    I'd guess that either ari doesn't understand our humor or has read the SpectateSwamp thread unprepared.


  • Discourse touched me in a no-no place

    @ari said:

    Especially if you put a site-specific [...] salt in there before you hash it.
    LOLWUT? What's the point in that? To crack the whole DB, you only need one rainbow table, defeating the whole point of the salt to begin with. (OK - there'll be the time spent generating it, but it's a one-off cost, rather than a per-user cost.)



  • @PJH said:

    @ari said:
    Especially if you put a site-specific [...] salt in there before you hash it.
    LOLWUT? What's the point in that? To crack the whole DB, you only need one rainbow table, defeating the whole point of the salt to begin with. (OK - there'll be the time spent generating it, but it's a one-off cost, rather than a per-user cost.)



  • @blakeyrat said:

    Also, the only people in Mensa are egotistical anti-social dicks. It has nothing to do with IQ-- if they were really smart, they'd realize Mensa rigs their test so pretty much everybody gets over 110.
     

    So all the regular posters on this forum are in Mensa, eh?


  • Discourse touched me in a no-no place

    @Zylon said:

    So all the regular posters on this forum are in Mensa, eh?
    Only for a couple of years starting when I was 14. Then I wised up.



  • Not that I want to get swept up in another hashing flamewar, but it's dawned on me that passwords themselves might even count as "security by obscurity".



  • @MiffTheFox said:

    Not that I want to get swept up in another hashing flamewar, but it's dawned on me that passwords themselves might even count as "security by obscurity".

    Come to think of it, modern-day encryption is mostly based on large numbers that fulfill an obscure condition (i.e. being prime). Isn't any type of encryption basically security by obscurity? There's other means of security, of course, like solid steel walls or moats.



  • @Zylon said:

    @blakeyrat said:

    Also, the only people in Mensa are egotistical anti-social dicks. It has nothing to do with IQ-- if they were really smart, they'd realize Mensa rigs their test so pretty much everybody gets over 110.
     

    So all the regular posters on this forum are in Mensa, eh?

    Mensa == dick. Dick != Mensa.



  • @MiffTheFox said:

    Not that I want to get swept up in another hashing flamewar, but it's dawned on me that passwords themselves might even count as "security by obscurity".

    The problem is that "security by obscurity" is seen as a bad thing in the first place. I blame this on the Slashdot crowd, who will diss any security method that doesn't involve prime numbers somehow... but in reality it works pretty well in most cases. "Obscurity" is just one layer of security. If it's your only layer, well, ok, then you should probably do something about that.



  • @blakeyrat said:

    @ari said:
    Seeing the kind of stupid answers in other threads, i also can't assume that everybody knows... you still need to cater the less intelligent people. The internet isn't Mensa you know. ;)

    What stupid answers?

    Also, the only people in Mensa are egotistical anti-social dicks. It has nothing to do with IQ-- if they were really smart, they'd realize Mensa rigs their test so pretty much everybody gets over 110.

     

    How do they rig the SATs?

     



  • @ari said:

     Hashing is always a good idea.

     And for simplicity use a 1 bit hash <ducking and running>


  • ♿ (Parody)

    @TheCPUWizard said:

    @ari said:

     Hashing is always a good idea.

     And for simplicity use a 1 bit hash <ducking and running>

    Well, sure, that's just good ole fashioned optimization!


  • Considered Harmful

    @boomzilla said:

    And for simplicity use a 1 bit hash

    It might be just retarded enough to work.

    Who will guess that the innocent isActive bit field in that table is really concatenated to the password before hashing? And the avalanche effect should ensure that one bit makes the hash look way off.


  • ♿ (Parody)

    @joe.edwards said:

    @boomzilla said:
    And for simplicity use a 1 bit hash

    It might be just retarded enough to work.

    Who will guess that the innocent isActive bit field in that table is really concatenated to the password before hashing? And the avalanche effect should ensure that one bit makes the hash look way off.

    Um. He said 1 bit hash. Not 1 bit salt. Now you're just making it complicated again.


  • @blakeyrat said:

    Mensa == dick. Dick != Mensa.

    Equality doesn't work this way. Also, your Venn diagram is noticeably missing regular TDWTF posters.



  • All passwords should be one bit, but instead of letting you try again if you get it wrong, it shows you a live feed of a puppy being beaten to death.  No one would dare to try cracking it unless they were absolutely sure it was right.

     

    Security through insanity?



  • All passwords should be one bit, but instead of letting you try again if you get it wrong, it shows you a live feed of Paris Hilton.  No one would dare to try cracking it unless they were absolutely sure it was right.

     

    Security through inanity?



  • @TheCPUWizard said:

    @ari said:

     Hashing is always a good idea.

     And for simplicity use a 1 bit hash <ducking and running>

    For security reasons, you should obfuscate it further. For example, store the hashes in a column called isAdmin3.



  • @joe.edwards said:

    @boomzilla said:
    And for simplicity use a 1 bit hash

    It might be just retarded enough to work.

    That's not how stupid works!  There's a critical mass of stupidity beyond which no additional amount of stupid will improve your chances for success!


  • @Spectre said:

    @blakeyrat said:
    Mensa == dick. Dick != Mensa.

    Equality doesn't work this way. Also, your Venn diagram is noticeably missing regular all TDWTF posters.

    FTFY



  • @derula said:

    Isn't any type of encryption basically security by obscurity? There's other means of security, of course, like solid steel walls or moats.

    Well, that's the whole point, no? Security can be, at the absolute best, "good enough for the purpose". Refer the parable of two guys escaping from a bear.



  • @derula said:

    @MiffTheFox said:

    Not that I want to get swept up in another hashing flamewar, but it's dawned on me that passwords themselves might even count as "security by obscurity".

    Come to think of it, modern-day encryption is mostly based on large numbers that fulfill an obscure condition (i.e. being prime). Isn't any type of encryption basically security by obscurity? There's other means of security, of course, like solid steel walls or moats.
    Security by obscurity refers to a situation where possesion of the protected knowledge is enough to defeat the system.  For example, old versions of Microsoft Access implemented the "password protected database" feature by storing the password in a specific location within the database and XORing it with a fixed bit pattern.  The knowledge of how it was done was enough to bypass the feature, regardless of the password.  Hashing relies on the work necessary to brute force the hash, rather than the knowledge of what needs to be done.  Unfortunately, hashes are surprisingly easy to brute force, so they have to be strengthened with salts and key stretching.

     


Log in to reply