So I just returned from the First Annual Software Security Summit
and have security on the brain. I thought I'd post about a little something that's always bothered me - weak protection of passwords in web applications.
Many web applications don't handle much sensitive data. If someone breaks into the (fictional) web application for my mother's quilting guild, quilt-o-rama.com, no-one's going to care that all their quilting patterns have been stolen. They might even care if someone gets a list of all the guild members. However, there is one bit of data stored in this web application that's of value - their passwords.
Let's face it, people don't use different passwords. They should, but they don't. That means passwords become:
A globally shared key that opens all doors.
Now you may be saying to yourself, "But Cameron, that's the user's fault
that they use the same password for everything.". Sure, some responsibility does fall on the user. But we all know perfectly well that most people aren't going to choose a unique password if they can get away with it. Therefore we have to be willing to accept some responsibility when protecting our user's passwords.
Since we know people are going to do everything in their power to choose an easy to remember (weak) password, we should protect it. This responsibility falls on us - the application developers. We have become custodians of a huge library of personal keys. Keys that might unlock data at banks, home computers, offices, government records, and quilt-o-rama.com - for most users the key is the same (or very similar) for all of these.
Attackers are always looking for the weakest point to attack. Do you have a site that stores passwords in plaintext? Do you keep up with security bulletins? Do you think no-one cares about breaking into your little boring site? Congratulations, you are the weakest link (goodbye)!
In security circles, this is commonly referred to as "key management". Your bank may encrypt your account data six ways from Sunday, but if the encryption key is easy for an attacker to discover, the encryption becomes meaningless. The data might as well have been in plain text all along. People go to all sorts of lengths when it comes to key management to make sure that the same encryption key isn't used in too many places, that it's not easy to discover, and that it's routinely rotated in case an old key is discovered at some point.
The concept of password management is no different. It's a key, not an encryption key - but a key still. It unlocks information, but unlike encryption keys the same password is often used everywhere, very rarely rotated, and often not very well protected. And your web application's users have shared their keys with you
. They have trusted you to keep it safe for them.
You are holding valuable keys. Are you doing your part to protect your user's bank accounts, businesses, and other personal information?