Photo by Bob Brown

One of the oldest rules in print journalism is to get the reader’s attention with the lead, and to make your whole point in the first paragraph. Here goes: The storage of plaintext or encrypted passwords by any company that does business with the public is an act of stupidity. An act of stupidity so dangerous that it needs to be made illegal. Yes, we need federal laws banning the storage of passwords on more or less all IT systems in the world. The recent break-in of the Gawker user database makes this point more clearly than anything I can say, but that won’t stop me from trying.

Best Practices

Long ago, in the pre-PC days, I was a neophyte learning my way around the UNIX system my employer used for software development. It didn’t take long before I bumped into one of the more interesting files on the system: /etc/passwd. To my young eyes, it appeared that this file contained the encrypted passwords for all the users in the company. All I had to do was get my hands on the system software that managed logins, and I could quickly print out a complete list of credentials. Awesome!

Soon enough I learned my lesson. One of those bearded UNIX gurus was kind enough to take me aside and point out the obvious: /etc/passwd doesn’t contain encrypted passwords. It contains hashed passwords. Hashed and salted, in fact. Because of this, the original designers of UNIX were able to do what seemed like hubris to me: leave the password file with a mode value of 644 – available for anyone on the system to read.

Even though this was a best practice almost forty years ago, the Gawker debacle shows us that some people just don’t learn. Media empire Gakwer, host of dozens of popular web sites, had their internal database hacked. After much of the data was posted to public web sites, the truth came out. Gawker had over 1.25 million passwords stored in their database. Encrypted passwords, which they felt were quite safe. Safe, that is, until they showed up on the Pirate Bay’s lists of torrents.

Gawker was stupid – that much is obvious. Anything that is encrypted can be decrypted. That’s the nature of the algorithm, and that is why the passwords were stored that way. And if a password can be decrypted, you are just one security breach away from a bad actor having a plaintext password for every user on your system. If your passwords are hashed and salted, the bad actor can still get that list – but it should take at least a few decades.

But this kind of stupidity has the power to do much more damage than letting a script kiddy post comments on Lifehacker using my name. In today’s web, the average citizen who creates an account on a Gawker property such as Lifehacker, Gizmodo, or Fleshbot uses a password that is identical to the one they use on Amazon, eBay, PayPal, and their bank. So it’s pretty obvious what a black hat can do with that list of email address/password combinations – the economic damage can be stupendous.

That’s why we need to make the storage of encrypted passwords illegal.

Yes, Illegal

If it was just a matter of education, we could attack this problem in a sensible way. But the truth is, when it comes to security, the average IT person is an idiot, and the average user is an idiot. Just for example, my hosting service, Dreamhost.com, stores user passwords in their database. I’ve argued with them to no end about how stupid this is. But they’re content – the passwords are encrypted, and hardly anyone has access to them. They’ll happily go on in this mode until a disgruntled employee mails out the list, or the inevitable security breach leads to a mini-Gawker episode. And this is a company hosting close to a million domains. Just imagine how many startups out there have your credentials stored with no more protection than an XORed string in a database, and nothing but some caffeine-fueled PHP code protecting you from a SQL injection hack.

No, I think it’s time to acknowledge that my credentials belong to me, and they need the legal protection that my other properties enjoy. We need to to develop a new FIPS regulation regarding the storage of passwords, and then enact it as law – with hefty penalties. A Gawker-size breach should result in an instant fine on the order of tens of millions of dollars.

It’s Clear This is Needed

Like millions of people, I received the Gawker email shortly after passwords were posted:

Gawker Media to markn
12/13/10
This weekend we discovered that Gawker Media’s servers were compromised, resulting in a security breach at Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot. As a result, the user name and password associated with your comment account were released on the internet. If you’re a commenter on any of our sites, you probably have several questions.

The site had a link to a FAQ which answered questions about the breach. The most important question thing to note about this FAQ is that months after the breakin, we still see a very bad entry:

11) What are you doing to ensure this doesn’t happen in the future?
We’re bringing in an independent security firm to improve security across our entire infrastructure. Additionally, we will continue to work with independent auditors to ensure we maintain a reliable level of security, as well as the processes necessary to ensure we maintain a safe environment for our commenters.

There is really only one good answer to this question: it should have read “We will never store passwords on our systems again – either in clear text, or encrypted. As this episode demonstrates, storing passwords is a worst practice. We were stupid once, but we are going to show the world that we have the capacity to learn. From now on, our passwords will be hashed and salted using the strongest possible algorithms available on our back end.”

What You Can Do

The obvious thing you need to do is to not use the same password on every site – this is a no-brainer. If you currently use fluffy99 as your password on Amazon, PayPal, eBay, and Poker Stars, you are vulnerable. Just make a small change in your algorithm. Instead of using fluffly99, simply append the first letter of the site to the password: Amazon gets fluffy99a, PayPal gets fluffy99p, etc. Use some easy-to-remember variation on this theme and you are immediately protected against the first wave of automatic attacks following a breach.

The second thing is to start shaming the morons. From time to time, go through a password recovery exercise on your favorite sites. If they offer to send you an email with a copy of your password, or to show it to you after you answer some security questions, you are dealing with Gawker-league stupidity. Call it out, publicly, loudly, and make sure you file a support case on it.

And finally, if you work in an organization that holds sway over Internet policy, take this call for legal action seriously. If you’re part of the EFF, or CERT, or the FCC, start pushing for this legislation – it’s the right thing.

Afterward

Calling for federal legislation in a blog post is clearly troll bait. For starters, the Internet user base has a fairly large number of people who lust for a global adoption of Anarcho-capitalism. In their view, any new government institution is a step in in the wrong direction. They will weigh in on this idea with some vigor, arguing that the problem can easily be handled with existing tort law. Additionally, they will point out that smart people (like them) are already immune to this problem, because they carry USB keys with a list of randomly generated 32 character passwords for every web site they use.

There will also be a large number of people who claim structural obstacles with the exclusive use of hashed passwords – the example being my Dreamhost captors.

Countering all of the objections they will raise in this post runs the risk of turning it into a manifesto, and that’s not my goal – I don’t get paid by the word. I will address the arguments as they come in. The structural and procedural arguments will all be wrong, and easily addressed. The philosophical arguments are more difficult, because winners and losers in those arguments are generally selected based on personal opinion, only slightly tempered with the facts. (And much of political argument starts off with name-calling and deteriorates from there.) But it’s safe to say I don’t agree with the idea that there are no good laws.

Maybe Gawker will be the last million-user password breach. I hope so. But somehow I doubt it. It’s kind of fun to think of the same type of breach happening at, say, Mint.com or Intuit. Now that will be a call to action!

Update

Since writing this, I received some useful clarification from a source who has worked with Gawker. Like most people, I was basing my information on Gawker’s security practices from their own statement:

Passwords in our database are encrypted (i.e., not stored in plain text),

As it turns out, this statement false. According to a post from Gawker, their user passwords were hashed using crypt(3), the same algorithm used by the bearded UNIX gurus I talked to over 30 years ago.

This means that Gawker was using a hashed, salted password. Unfortunately, they were using an algorithm that was considered to weak for any reasonable security as long as 20 years ago. Dictionary-based cracking programs on modern computers can break crypt(3) passwords with astonishing speed. That is apparently what happened to Gawker.

This doesn’t change the gist of the problem much – Gawker was still horribly negligent with user passwords. For whatever reasons they chose to use a security scheme that simply doesn’t pass muster. This could clearly have been prevented with a FIPS standard based on modern technology.

A Visit From Mr. Language Policeman

As an aside, is it reasonable to claim that Gawker misspoke when they said their passwords were encyrypted? It’s perhaps a fine point, but the Wikipedia definition of encryption says:

In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

Clearly, the process of hashing passwords using crypt(3) does not meet this definition. You will sometimes hear people refer to this as one way encryption, but this usage doesn’t turn hashing into encryption.