Deadites about to meet my chainsaw-arm and shotgun! |
It's not fair that all these great games are coming around to distract my writing. :)
Deadites about to meet my chainsaw-arm and shotgun! |
Thank you for your feedback, and as it appears you already know it is industry standard to store a hash value of the password. I assure you that your password is not in fact stored as is in our database, it is stored by some type of hash value. I am not entirely sure by which standard our software vendor encrypts this data, but it is protected. If you lose your password our standard procedure is to have you reset it, because we are unable to retrieve your old password information from our database. If you have any further questions or concerns please do not hesitate to contact us.Grammatical errors aside, there is an assertion that a hash is used in password authentication. If that's the case, then why enforce an upper character limit on the passwords? The nice thing about a cryptographic hash is that -- by design -- will reduce an arbitrary-length input to a fixed-size, obfuscated token that can be stored for purposes of authentication.
Thank you for your prompt reply.Hopefully the message can go up the chain and fall on the right person's desk.
In light of your assertion that a password-derived hash is what is used for purposes of authentication, I have a website enhancement request that I would appreciate you forwarding to the appropriate technical or vendor representative.
In particular, please remove the upper limit on password length that is presently enforced at 15 characters. (The minimum password length requirement remains a good idea.) This should not pose any technical burden, as a cryptographic hash function, by design, can take an arbitrarily-long input and produce a fixed-size, obfuscated output that is suitable for storage in the authentication database.
Such an improvement would significantly enhance the overall strength of the website's password system, and bring it in-line with practices used at financial institutions.
Thank you once again for your responses. I appreciate your assistance in forwarding this suggestion to the appropriate representatives, and would appreciate a response should action be taken to address it.
Hello,The nice thing about the salted hash approach is that one can still store a fixed-length field in the database, but the password itself can be of arbitrary length. Plus, the authentication system doesn't know what the password is -- just something that is derived from it.
Thank you for providing me secure online access to my medical records, test results, and service providers.
I am writing to let you know of a potential security issue regarding password storage for the system's online authentication. In particular, during the user registration process, a password must be created consistent with a length of 6 to 15 characters containing at least one number and one letter.
Such a length restriction implies that the password itself is being stored in your database(s) for purposes of validating authentication attempts. This is an insecure practice. A secure approach -- and industry best practice -- is to store a salted cryptographic hash of the password that does not require the actual passwords itself to be stored, but instead something derived from it. Please see the following document from the National Institute of Standards and Technology for more information on this subject: http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf
I would appreciate your comments regarding these issues at your earliest convenience.
Yes, Rick Santorum is running for President.
Will he win? Of course not.
Why waste valuable blog space then? Because I was very surprised (and slightly amused) to see him being described as a "frothy, third-tier candidate."
It's good to see that the left leaning media can get away with that one; here's hoping that more media outlets ask him about his true namesake!