There’s a big problem with all sites that store a password to perform authentication – you have no idea what security measures are being taken to protect the stored passwords. How do you know how your password is ‘secure’ once it’s at the other end? How can you know?

As the recent LinkedIn Password Leak showed, even tech-savvy companies can get it very wrong. Unsalted SHA-1 is not good enough. Hashes can be calculated at 8 thousand million per second on a modern GPU. The scary thing is that it’s one of the least bad leaks recently, the Sony Password Leak revealed that they were storing millions of passwords in plain text.

Clearly, something needs to be done, and here is what I propose:

Sites should publish some hashed passwords

On my website, yetanothersocialnetwork.com, I provide a page with some sample database rows from my user table (with fake data):

username password_hash
abc123 bbd09e976e29f1721a4203f0bc75d754f0b91dff350aee6ae9952a0056eeb652
fred99 8b0afe8cd1d9a3d27bf0f5ab1117865fe892afc7234a4d0a9dbb5a13e9b4d2dc
sparkle_grl_78 f720996783311dfed97c5c5945164c4b475709c9d8db6f043b2bf86f8db79211
gareth-smith 912b22309b5739f5b4f3d392a9ece12e7d49dd4a1fce4b802ce7f40beae14eea
megatroid b5599f978865d965d4f796a36088d88155eae094734245309999838155baa5c0

This makes the security of the site transparent. For those who care, they can easily see that decent security measures are being taken with the storage of passwords. For those that don’t, if there is a problem, a fuss will hopefully be made about it before a leak, rather than after.

If you run a site that stores user passwords, please consider doing this. If your hashes are good, this should be a trivial thing to do. If they aren’t, well it’s probably time you sorted that out…