I’m : a programmer, writer, podcaster, geek, and coffee enthusiast.

Password limits and storing hashes


Ok, so this has been bugging the hell out of me lately, how some websites and services have really unsatisfactory password security policies.

For example, Plaxo, which only allows you to create a password that is between 6 and 10 characters long. Um, Hello??!! That is bloody ridiculous! I’m sorry Plaxo, but I just don’t feel safe storing my whole freggin’ address book on your site with a password policy like that. Why bother?

This annoys me, too, and there’s no good technical justification for it.

Proper web applications should never store your password. Ever. Anywhere. It should only exist when being transmitted from the login form in the browser to the server (and if you’re really serious, that should be done with SSL).

The correct way to validate a password is to store a salted hash of it, then hash whatever you’re given on the login form, and see if the hashes match.

Non-geek tutorial: A good hash function converts arbitrary-length input to randomly distributed output of a fixed size, with three important properties: it’s one-way only, it’s always the same result for the same input, and slight changes in the input make the hash look very different.

Example: SHA1 generates 40-character hashes from any input. The SHA1 of “Hello” is “f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0”. The SHA1 of “Hello!” (with the exclamation point) is “69342c5c39e5ae5f0077aecc32c0f81811fb8193”.

Hashes make short password-length limits unnecessary. You can hash entire paragraphs to that same 40-character output length.

Salted-hash password storage also has big security gains, most of which I’m barely qualified to discuss. One example: If your service is hacked and the database gets stolen, the password-hashes are useless to the attacker. If passwords were stored in their regular, plain-text forms, the attacker could not only log into that site with your account, but could also log into any other sites you’re a member of with the same email address and password. (I know you use the same password for everything.)

You can tell if a website stores plain-text passwords by testing the “I forgot my password” feature. If it emails you your existing password, they’re storing it. (Bad.) If it emails you a link with a giant hash that you have to click to reset your password to something else, they’re probably storing hashes only. (Good.)

Like SQL injection, storing plain-text passwords is a newbie mistake.