3

So, our database is using bcrypt with a high iteration/cost to store our users passwords. We're using https like intelligent people and we continue to work on finding ways to sidestep our own security before someone else does.

With that said, we are beginning a new marketing push with a new interface and the marketing guys are wondering if we can/should/should not use the use of bcrypt as a selling point on our features page.

It seems there are so many large organizations out there that DO NOT use secure password hashing methods and even if it is kind of sad, using something like bcrypt seems like a differentiator.

So, the question that I want to ask is if advertising our use of bcrypt will paint a target on our back. I see "we use https" advertised often, but I don't see anything mentioned about password storage policies.

I don't need to know if it's a good marketing tactic, what I want to know is if its going to expose us to more danger if we do advertise the use of bcrypt.

Thanks for your thoughts.

Niictar
  • 307
  • 2
  • 7
  • 1
    It is safe to advertise it because security is not obtained by obscurity. But I would like to add two thoughts: 1. using bcrypt doesn't guarantee security (it depends on how you use it and security of the procedure itself). 2. Unless you want to get to a very technical user I don't think normal people will know what is really bcrypt about. – kiBytes Feb 05 '14 at 20:35
  • This question appears to be off-topic because it is about marketing strategies. – Adi Feb 05 '14 at 23:06
  • This sounds like the sort of marketing speak from vendors who have "industry leading 2048-bit encryption" - while failing to prevent XSS and SQL injection. – paj28 Feb 06 '14 at 01:43

3 Answers3

8

The usual argument goes that way: if it is not safe to describe what algorithms you use, then you have a bigger problem. Therefore, you should be able to announce to the World that you use bcrypt with no ill effect on security. In fact we must assume that the attacker already knows that you use bcrypt (if he is in position to do harm, then he can probably see your code; also, bcrypt output from usual bcrypt implementations has a quite recognizable format).

Knowing whether it is a good idea, from a marketing point of view, to turn bcrypt usage into a sales pitch is another matter. Personally, I think that saying "we use HTTPS and all passwords are stored hashed with bcrypt" will do no harm over the simpler "we use HTTPS". I cannot claim that it would do good. Also, there is such a thing as going too technical, in that you might inadvertently show yourself as "a bunch of geeks" which may or may not appeal to your intended customer crowd. This all depends on the kind of image that you want to project, and the average psychological profile of expected site users.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
2

It sounds like you have the right attitude, and you are certainly asking a good question.

When someone performs a penetration test, one of the things that they will generally look for is information leaking that could help an attacker. A website that tells that apache is running and the specific version would be useful for someone who wants to hack your website for example. So telling the world you use bcrypt will be telling anyone who wants to hack you.

Then again, if an attacker knows that you are using bcrypt they may be less likely to target you as you are likely to have your stuff together, so there are both potential costs and benefits from an attacker knowledge point of view.

What really clinches it for me though is that most of your potential customers are unlikely to have the first idea of what bcrypt is, so you saying you use it isn't likely to sell your product. Just saying your password encryption is better than industry standard, and you have a strong commitment protecting customer information is enough for the majority of customers, and to be honest makes more sense to them. So you'd be giving away information about your product to an attacker without any real benefit.

GdD
  • 17,291
  • 2
  • 41
  • 63
  • "_Just saying your password encryption is better than industry standard_"- So, would it be fair to say that we are using "better than industry standard" without to much puffery? I agree most users won't have a clue what bcrypt is specifically. – Niictar Feb 05 '14 at 22:08
0

Pretend you're the customer purchasing your own product. If you saw that the product "had bcrypt!" would that make you any more likely to purchase it? With that in mind consider that you likely have more security experience than most customers. Will they know what bcrypt is, or will it distract them from your other selling points? If this is for a technical audience saying "we use bcrypt" doesn't say much. Great, you use bcrypt, but do you use a salt? Even with bcrypt without a salt a rainbow table could be used. For a technical audience get a third party audit if that's the reasoning. Otherwise, it's not worth it to distract from your main selling points.

waitingToCompile
  • 106
  • 4