1

I am learning more about security in web design so I can build more robust sites. As I see it password security is one of the main concerns, if a database is hacked then chances are passwords will be on the list of the attackers. I understand that you should not store 'plain text' passwords and instead hash/salt; storing that instead. But, on a site I have been working on, we have 'site only' passwords, ie the passwords are generated automatically by the website for the user site access. These are for admin and the site's course access and consist of the website name followed by numerous random characters. So the passwords even if accessed in plain text format would not be of any use, because the passwords are unique to that site only. As I understand normally the hackers are looking for 'common' passwords, which can be used to access other sites.

This system was put in place by an experienced programmer. But I am wondering if the general consensus is that using this method of unique site passwords is a much safer option and if so then why do most sites generally request user set passwords in the first place; which are more vulnerable (even though they are perhaps easier to remember)?

Anders
  • 64,406
  • 24
  • 178
  • 215
  • So: the user registers and is given a password by the website? How does that password get delivered? Could you also elaborate on what 'So the passwords even if accessed in plain text format would not be of any use, because the passwords are unique to that site only' means? –  Jul 14 '16 at 11:27
  • "website name followed by numerous random characters", and you think this ain't in the list of some password crackers? It'd be one of the first things I'd put on my list. You could better disallow passwords under a certain amount of characters, must contain non-alphanumeric characters,... – O'Niel Jul 14 '16 at 11:29
  • 2
    `So the passwords even if accessed in plain text format would not be of any use, because the passwords are unique to that site only` -- don't you care about an attacker accessing other accounts on your website? Why store plaintext when you know there's a better way? – Jedi Jul 14 '16 at 11:30
  • In fact, you could do worse than reading all of the OWASP Authentication cheat sheet. That would pretty much answer every question you've asked, and more, and in greater detail than any real answer here could provide. Why re-invent the wheel, right? :) https://www.owasp.org/index.php/Authentication_Cheat_Sheet –  Jul 14 '16 at 11:32
  • All very valid points I need to digest this info before answering your questions. The site was built a long time ago on small budget which is why now I am exploring the security angle. – Robert Sheppard Jul 14 '16 at 11:57

2 Answers2

4

Forcing the user to pick a password you generated is an efficient way to prevent password reuse. That means both (a) that your passwords will not be usable on an other site if an attacker steals them, and (b) your users accounts will not be breached even if they were all on LinkedIn, MySpace, Sony and Ashley Madison.

On the other hand, it will wake them way harder to remember. Users are therefore more likely to write them down on a post it next to the screen or in an email sent to themself - not very secure practices. They are also more likely to be annoyed at you and don't use your site. If you try to counteract this by generating passwords with less entropy, you might end up making users who would prefer to use a password manager to generate long, unique passwords substantially less secure.

Finally, to the question if there really is any need to hash the passwords: Yes, you should hash them. If your database is leaked (SQLi, lost backup, etc) you do not want the attacker to have all the passwords and be able to login as an administrator.

For how to securely hash passwords, see this question.

Anders
  • 64,406
  • 24
  • 178
  • 215
1

Having an unique password per site isn't about people targeting that individual site, but instead the problem of 'cross contamination' from other sites. People are notorious for using the same password on multiple systems.

Its been well documented that attacks take place by setting up a website of similar interests to your target (for example, a World of Warcraft Fan Forum). Users register there for some reason (to comment) and use their email address and password. Unfortunately more commonly then not, [citation required] users use their same password.

If that site isn't legit, or if it was legit and got hacked but the passwords people were using were badly stored (as in Amazon's hack), or they are being captured before being hashed and checked as a user logs in, the attacker now has a email address and password.

In these situations, the attacker is not targeting an individual, but anyone who falls victim. Therefore a system enforcing that your most privileged users (the sysadmins) must have passwords could be a good thing.

However alternatives are possible: multi factor authentication (such as FIDO), or enforcing your users to use a system such as LastPass which will track sites that have common passwords for you.

Jmons
  • 162
  • 7