20

I am writing a page for our website which describes the measures we take to keep our customer's information secure. On this page one section describes how we keep their passwords secure.

We are using Secure Password Storage v2.0 which is an implementation of PBKDF2. We are using the hash algorithm SHA256, 64000 iterations, and 24 bytes for our random salt. I'm not really sure this matters so much, other than that I just don't want people to come with pitchforks raised thinking we are encrypting the passwords.

Is it correct to say "The passwords which we store cannot be decrypted"? I worry that it implies that the passwords can never be cracked, which simply isn't true. However, I do want to emphasize to our users that our system to store passwords is secure enough that they shouldn't ever have to worry about it (as long as they pick a sufficiently unique password of course), even in the case of the entire password database being stolen.

Other options I have considered are "The method used to store passwords cannot be reversed" or "In the case of a breach, your password should not be retrievable" but I find saying they can't be decrypted to be more understandable and to the point, especially since some people may not even realize that passwords aren't stored in plaintext.

Anders
  • 64,406
  • 24
  • 178
  • 215
JCB
  • 311
  • 2
  • 5
  • I think hashing, as a cooking term, can make people understand that the output cannot be reversed. – A. Darwin May 31 '16 at 18:33
  • 6
    So you think the average person understands what password hashing means? I would not guess that the typical user of our website is very technologically inclined, but then again I don't know how common it is that people understand what it means to hash a password. – JCB May 31 '16 at 18:36
  • 20
    How about "We use state-of-the-art password storage technology to ensure that your password cannot be recovered even if the password database is compromised."? You may want a footnote or link to the more technical jargon as well. – Neil Smithline May 31 '16 at 18:44
  • I was trying to say that you could briefly explain hashing as a way of storing passwords in such a way that the result cannot be reversed, and that the cooking term could make a nice analogy to explain an irreversible operation. – A. Darwin May 31 '16 at 19:05
  • "I just don't want people to come with pitchforks raised thinking we are encrypting the passwords." - Why would they? – TTT May 31 '16 at 19:45
  • 3
    @TTT Maybe he refers to the fact that encrypting passwords is not a very good idea. – A. Darwin May 31 '16 at 20:11
  • @A.Darwin - I meant - why would anyone just assume they are encrypting passwords and not hashing them? – TTT May 31 '16 at 20:17
  • @TTT As far as I've understood, OP thinks that non-technical people are more familiar with encryption than hashing (at least as a concept) as a way of protecting data and make them hard to crack, so he was thinking about describing the whole process as encryption, rather than hashing. – A. Darwin May 31 '16 at 20:22
  • @A.Darwin - I don't think that's what OP meant. OP is wondering if the word "hashing" should be specified so people don't assume it's encryption (or worse). My point is no one would just assume encryption unless you give them reason to, so you don't have to worry about it in the first place. – TTT May 31 '16 at 20:27
  • 2
    @TTT The reason I included that statement was because even though the paragraph about how we are storing the passwords isn't necessarily relevant to this question, if I were to remove it and simply state that the passwords cannot be decrypted people may assume that we are encrypting the passwords which I wanted to avoid. – JCB May 31 '16 at 20:32
  • @Jaci - OK, then how about "For security reasons, your password cannot be recovered. If you forget it, you'll have to reset it." – TTT May 31 '16 at 20:33
  • Is there a reason why everyone who is answering suggests adding in the hashing value...? Isn't the point of Hashing Security to NOT tell people which algorithm you are using.... or am i missing something here...??? – XaolingBao Jun 01 '16 at 06:18
  • 2
    @Lasagna do you mean "SHA256, X iterations,..."? Hashing is secure even if you disclose the algorithm, because the attacker would still need a lot of processing power and/or time to obtain the input (e.g. password) from the hash. Adding salt further increases the time and resources need to get the password, and in particular protects the hash from dictionary attacks and rainbow table attacks. If you are interested, start searching "cryptographic hash", "hash", "salt" on your favorite search engine. There are also a lot of resources on this SE. – A. Darwin Jun 01 '16 at 06:44
  • Draw a picture of a cow. That's the password. Draw a picture of some ground beef. That's the hashed password. Tell them you only store the ground beef, and that one cannot turn ground beef into a cow – Neil McGuigan Jun 01 '16 at 16:38

6 Answers6

35

"We believe the secrecy of your passwords is very important, which is why we have implemented measures that strongly protect them while stored on our servers. Once you submit your password we convert it using a cryptographic function (salted PBKDF2-SHA256 with 64,000 iterations for the tech savvy), so even if attackers are able to breach our site they won't immediately learn your password.

This method of storing passwords makes it significantly harder for your password to be cracked by the bad guys. Choosing a unique and good password/passphrase choice paired with this technology can help prevent unauthorized access to your account. Even our employees won't know your original password."

Similar to Adam's suggestion, just expanded to cover more of your concerns.

PwdRsch
  • 8,341
  • 1
  • 28
  • 35
  • 7
    I like this, especially the point made about employees being unable to see the passwords. It implies that they're stored in a manner that is irreversible even by the "good guys". I think that having your password/information stolen or misused by the website itself is a legitimate concern many people have when registering at a website and this addresses it nicely. – JCB May 31 '16 at 20:09
  • 3
    Phrases like "We believe the secrecy of your passwords is very important" are so common, and so often introduce platitudes, that I stop reading. I do like the "even our employees..." bit. – Adam Shostack May 31 '16 at 20:15
  • @AdamShostack That is a pretty throw-away introductory phrase. Depending on how this fits into the overall page you could just start with "We have implemented measures that strongly protect your passwords while stored on our servers." – PwdRsch May 31 '16 at 21:17
  • Also, "cryptography" is not a good term to use with laymen. – John Deters May 31 '16 at 21:18
  • 1
    @PwdRsch Totally agree. I personally don't like the style. – Adam Shostack May 31 '16 at 22:10
  • 1
    I'd change "using a cryptographic function" into "using a **one-way** cryptographic function" (even non-techies should get _that_), and probably put the parenthetical text in a footnote. – Ángel May 31 '16 at 22:42
  • Without telling what hashing algorithms and iterations used of course :). – XaolingBao May 31 '16 at 23:59
  • 3
    A layman wouldn't have any idea how long "not immediately" is in the phrase "they won't immediately learn your password". Does that mean it'll take 10 minutes? A few hours? When in reality using current technology it may be more than a human lifetime, but on TV and movies a password can be cracked in a couple of minutes. – thomasrutter Jun 01 '16 at 05:35
  • 1
    *"Once you submit your password we convert it using a cryptographic function (salted PBKDF2-SHA256 with 64,000 iterations for the tech savvy)"* - There is literally no need to try to communicate this to the users, 99.999% of which will have no idea what it means at all. It serves no benefit other than to satisfy yourself, the developer. All it does is potentially confuse or cause people not to read what you've written because it appears to be scary and techy. – BadHorsie Jun 01 '16 at 11:26
  • 1
    @BadHorsie, the goal of the page is to explain the measures that keep passwords safe. Although a lot of users may not understand what it means, it lets the user know that the company actually has something seemingly high-tech in place to protect passwords. If I had to choose between a bank that "converts it using a cryptographic function (salted PBKDF2-SHA256 with 64,000 iterations for the tech savvy)" and a bank that "jumbles up your password", I probably would go with the former. – Ben Morris Jun 01 '16 at 14:58
  • You can make this example more user friendly by adding a "!" to the last sentence: "Even our employees won't know your original password!". Everything get's better with exclamation marks! Everything! – T. Sar Jun 01 '16 at 15:12
  • 1
    @BadHorsie If you read the comments, twitter feed, etc. of any company that experiences a breach one of the main questions asked is how passwords were stored. Yes, it is a small portion of most user populations but there is no reason not to provide them with specifics. I can't see the lack of understanding about that part, specifically tagged as for the tech savvy, causing harm to normal users. – PwdRsch Jun 01 '16 at 15:37
  • @fjw I struggled with how to best phrase the 'won't immediately learn your password'. You can't say it won't be cracked, because the user's password is the main factor in whether that is true at this point. You can't say it would take months because, again, it depends on how good their password was. So I settled for trying to convey that at least some unquantified effort would be needed to guess their original password, without getting into specifics. – PwdRsch Jun 01 '16 at 15:44
7

The technical components are hard to communicate about. Understanding the answer beyond "We're doing the right thing" requires a lot of knowledge. So why not say both, something like:

"We protect your password with very strong technology. (For the geeks, it's currently 64K iterations of SHA2/PBKDF2)"

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12
  • 3
    I would go a little farther: "We protect your password with very strong technology, using the security industry's recommended practices. (For computer security experts, it's 64,000 rounds of SHA2 using PBKDF2.)" If you have had a recent security audit, perhaps as part of an industry requirement (PCI, etc.), I'd recommend referencing the audit and auditors as well. But you'll have to keep the web page up to date, because nobody should trust a page that says "We just passed our 2007 security audit!" – John Deters May 31 '16 at 21:15
2

Is it correct to say "The passwords which we store cannot be decrypted"? I worry that it implies that the passwords can never be cracked, which simply isn't true.

It is somewhat correct, though the very presence of "decrypted" in that sentence may lead people to jump to the wrong conclusion.

It may be better explained by saying that the passwords undergo a "one-way cryptographic hashing process", which cannot be reversed to find the original password, even by the system administrator.

If the only way to get the password is brute-force cracking, then I think it's fair to say the "process cannot be reversed". If you do want to address brute-force cracking, you could go on to mention that "the only way for an attacker to obtain the original password would be to guess it correctly, which may take longer than a human lifetime" assuming the password is chosen securely.

Other options I have considered are "The method used to store passwords cannot be reversed"

Yes, I think it's fair to claim that.

"In the case of a breach, your password should not be retrievable"

This is not as concise in my opinion. Firstly, "should not" is vague, and it may actually be retrievable through brute-force cracking, which isn't sufficiently addressed in this phrase.

There's a subtle distinction in my mind between "reversing the algorithm" - which brute-force cannot do, and "retrieving the password" - which brute force can assuming enough time.

but I find saying they can't be decrypted to be more understandable and to the point,

Yes definitely.

As for the explanation of text:

We are using Secure Password Storage v2.0 which is an implementation of PBKDF2. We are using the hash algorithm SHA256, 64000 iterations, and 24 bytes for our random salt.

It is good to include this for the benefit of those who understand the technical details, assuming that one of the previously discussed more layperson explanations is also included.

thomasrutter
  • 1,465
  • 11
  • 16
1

How about this

"Our use of industry-proven security techniques guarantee that your password cannot be stolen from our equipment."

Edit: The wording should be changed per comments, because the guarantee (or whatever you call it) is subject to getting sufficiently unpredictable passwords from the end-user. (which is not dependable)

Perhaps with a link "How is this possible?"

"Using a technique known as Repetitive SHA256 Hashing, only a Checksum of your password is stored. This way we can test whether the Password matches, but, the original password cannot be recovered or decrypted. This is the same technique used in large-scale applications such as Email and Online Banking."

I'm no communications expert, but hopefully the first quote will give the laymen info, and then if someone starts to question you, they will click the link. If the understand the word Checksum, then maybe they can understand without any extra research.

700 Software
  • 13,807
  • 3
  • 52
  • 82
  • 4
    its not a guarantee. – Adam Shostack May 31 '16 at 18:49
  • True, there is the remote possibility of a crack on the algorithm, as well as the more likely possibility of an edit the the server's application by an attacker, or possibly MITM. Those possibilities, if they were to occur, would capture the password next time the user logs in. However that would be beyond the scope of this terminology request. – 700 Software May 31 '16 at 19:25
  • I thought about *"...prevent your password from being stolen..."* (without the word guarantee) but it doesn't seem concrete enough, given the amount of difficulty in cracking SHA256. (assuming sufficient iterations) I'm interested to see what other terminology suggestions will be posted, as I frequently am faced with the desire to explain encryption and hashing details to the layperson. – 700 Software May 31 '16 at 19:28
  • "Our use of industry-proven security techniques guarantee that your password cannot be stolen from our equipment." You are working for Ashley Madison then? – gnasher729 May 31 '16 at 19:33
  • 1
    George, I think the biggest risk is a dictionary attack using common passwords against password hashes. Basically, if you have a weak password, a salted hash provides minimal security – Neil Smithline May 31 '16 at 19:33
  • @gnasher729, I don't get it. – 700 Software May 31 '16 at 19:39
  • 1
    @NeilSmithline, That is an excellent point. We of course cannot guarantee security of a weak password, even with a strong hash. – 700 Software May 31 '16 at 19:41
  • To build on Neil's comment, with the large dictionaries of leaked passwords, you cannot guarantee the security of any password that anyone has ever used anywhere else. – Adam Shostack May 31 '16 at 19:58
1

We follow industry best practices for password verification. For example:

  1. We do not record our users' passwords. Instead we record scrambled digests that allow us to recognize your password but no more. We don't know what your password is, but we recognize it when we see it!
  2. We compute the digest using cryptographic password stretching algorithms that randomize the digests and use deliberately slow computations. Both of these factors make it costly for hackers to guess passwords in bulk.

Note however that our measures cannot protect against all risks, and you are the first line of defense. In particular, the following are very important factors that are in your control, not ours:

  • Do not choose a password that is easy to guess. If somebody correctly guesses that your password is your spouse's name and your wedding anniversary, there's nothing we can do about that. [link to a good set of password guidelines]
  • Do not use the same password in more than one site. If one of the site leaks your password, then the hackers may be able to log in to your accounts in the others. To avoid having to memorize or write down lots of different passwords, we recommend that you use a secure password vault program. [link to some such programs]
  • We will never ask for your password in the phone or over email. Be aware that a common ploy among criminals is to pretend to be us and fool you into telling them your password. So if you receive such a call or email, do not do as they ask.
  • If you get an email that looks like it's from us, asking you to log in to our site urgently, don't click on any links provided in the email. Instead, enter our company name on a search engine like Google and follow the result from there. [links to anti-phishing resources]
Luis Casillas
  • 10,181
  • 2
  • 27
  • 42
0

You could do a public service and explain what you are doing.

Things like defence in depth - multiple levels of defence. First level making your servers unhackable. Second level not storing plain text passwords. Third level not storing encrypted passwords. Fourth level salting. Fifth level using a slow algorithm (64,000) passes.

gnasher729
  • 1,823
  • 10
  • 14