They say 80% of passwords on the internet are "weak" passwords. When sites use annoying guidelines like "you must have an uppercase character, a lowercase character, a number and a special character," it's not because the webmaster was feeling cruel and abusive and all powerful, but rather because he or she was trying to protect his users. Gaining access to a website with weak security is trivial. You want to protect your users' data, including their password, which may be their key for other websites too.
So here's your security 101: when you store data in a database, step 1 would be storing a password. Storing a password as plain text is not very secure and would certainly be problematic if someone unauthorized gained access. So to combat this, developers encrypted passwords. But passwords that can be decrypted are equally problematic, anyone who could get them could certainly decrypt them. So developers changed to one-way encryption: encrypt it, and then when you give me your password, I'll encrypt it again and see if it matches! Brilliant!
But computers got faster, and thus were born "rainbow tables." Essentially, hackers would start generating encrypted versions of dictionary words, common passwords, and other phrases, and these encrypted strings are known as hashes; when you got a list of encrypted passwords, you could compare them to your list of known hashes. Brilliant!
So developers struck back with "salts." Add some random stuff to the beginning or end of the password and encrypt it, thus rendering rainbow tables null and void. Unless, of course, someone gets your salt. Then what? You can't even decrypt the passwords yourself to re-encrypt them with a new salt. You have to force everyone to change their password.
With the not-too-long-ago release of some compromised passwords from a fellow Phish site, we decided to bump up our security efforts. Phish.net used to utilize a mix of SHA1 and MD5 encryption, fairly common cryptographic hashing functions. The challenge with these is that they are very fast - a computer processor can compute these hashes in microseconds, enough that one could hit a login form 10,000 times per second and just run through the dictionary. Knowing that weak passwords make up 80% of the accounts out there, just knowing usernames - something one could easily pull from, say, our forum - you'd probably be able to gain access to at least a few thousand accounts.
As a result, today, we switched to bcrypt for encryption. bcrypt is very slow (in computer terms). In fact, we actually slow our implementation down further. In other words, it still only takes a fraction of a second, far too little for a human to notice, but enough that a computerized attempt to gain access would be hindered by how long the response would take. The automation of such an action is severely handicapped by this slow encryption. Converting a list of the passwords from our database into something usable elsewhere would still be a mammoth task.
On the flip side of this, what if someone just keeps hitting your site trying to login? To combat this, on Phish.net, we implemented "rate limiting" some time ago. Too many failed attempts and the login process won't continue.
How can you take advantage of this? Simply login to Phish.net. The next time you login successfully, your password will be automatically converted to the new encryption.
If you liked this blog post, one way you could "like" it is to make a donation to The Mockingbird Foundation, the sponsor of Phish.net. Support music education for children, and you just might change the world.