There’s a big problem with all sites that store a password to perform authentication – you have no idea what security measures are being taken to protect the stored passwords. How do you know how your password is ‘secure’ once it’s at the other end? How can you know?
As the recent LinkedIn Password Leak showed, even tech-savvy companies can get it very wrong. Unsalted SHA-1 is not good enough. Hashes can be calculated at 8 thousand million per second on a modern GPU. The scary thing is that it’s one of the least bad leaks recently, the Sony Password Leak revealed that they were storing millions of passwords in plain text.
Clearly, something needs to be done, and here is what I propose:
Sites should publish some hashed passwords
On my website, yetanothersocialnetwork.com, I provide a page with some sample database rows from my user table (with fake data):
This makes the security of the site transparent. For those who care, they can easily see that decent security measures are being taken with the storage of passwords. For those that don’t, if there is a problem, a fuss will hopefully be made about it before a leak, rather than after.
If you run a site that stores user passwords, please consider doing this. If your hashes are good, this should be a trivial thing to do. If they aren’t, well it’s probably time you sorted that out…