How to store passwords

Vagmi Mudumbai

Recently Gawker's database got hacked. About 1.3 million passwords are out in the open. This has led to much furore on various sites. In fact, (some sites)[http://nakedsecurity.sophos.com/2010/12/13/gawker-gizmodo-lifehacker-password-change/] have suggested users to set strong passwords and not reuse passwords.

Although this is good advice for users, I would like to give 3 important points for developers storing passwords in their database.

  • Use BCrypt
  • Use BCrypt
  • Use BCrypt

BCrypt is a hashing scheme based on the Blowfish algorithm. It is excellent for password hashing as it is dog slow. The usual general purpose hashing algorithms like MD5 or SHA1 are really fast. They are meant to hash a lot of content and return a unique hash efficiently. This makes them an easy target for brute force attacks. Bcrypt on the other hand is very slow. On my machine, it is about 4 orders slower than MD5 when the number of rounds is 10. This is what wikipedia has to say about bcrypt.

Blowfish is notable among block ciphers for its expensive key setup phase. It starts off with subkeys in a standard state, then uses this state to perform a block encryption using part of the key, and uses the result of that encryption (really, a hashing) to replace some of the subkeys. Then it uses this modified state to encrypt another part of the key, and uses the result to replace more of the subkeys. It proceeds in this fashion, using a progressively modified state to hash the key and replace bits of state, until all subkeys have been set.

Provos and Mazieres took advantage of this, and actually took it further. They developed a new key setup algorithm for Blowfish, dubbing the resulting cipher "Eksblowfish" ("expensive key schedule Blowfish"). The key setup begins with a modified form of the standard Blowfish key setup, in which both the salt and password are used to set all subkeys. Then there is a configurable number of rounds in which the standard Blowfish keying algorithm is applied, using alternately the salt and the password as the key, each round starting with the subkey state from the previous round. This is not cryptographically significantly stronger than the standard Blowfish key schedule; it's just very slow.

The number of rounds of keying is a power of two, which is an input to the algorithm. The number is encoded in the textual hash.

Ruby developers can use bcrypt-ruby. bcrypt-ruby also salts your passwords to ensure that it is safe from Rainbow Table attacks. You can install it using the following command.

$ gem install bcrypt-ruby

And here is a quick example of how to use it.

require 'bcrypt'

class User
  include BCrypt
  attr_accessor :password_hash

  def password
    @password||=Password.new(password_hash)
  end

  def password=(passwd)
    @password = Password.create(passwd)
    password_hash = @password
  end

end

#usage

user = User.new
user.password = "password"

user.password == "password" # true

Let us make the web safer for our users.

Posted on 2010-12-13T12:08:10Z by Vagmi Mudumbai Comments
blog comments powered by Disqus