I think that such electronic access is a fantastic idea. However, I had a bit of pause with the user registration process, which required me to have a limited-length password.
This irks me to no end, especially when this password is supposed to guard access to medical or financial records. Here's why: such a restriction implies that a database field is being used to store the password for purposes of authentication checks (or worse, password recovery!)
I wrote the following to the webmasters, and fully expect it to fall on deaf ears. At least I've tried!
Hello,The nice thing about the salted hash approach is that one can still store a fixed-length field in the database, but the password itself can be of arbitrary length. Plus, the authentication system doesn't know what the password is -- just something that is derived from it.
Thank you for providing me secure online access to my medical records, test results, and service providers.
I am writing to let you know of a potential security issue regarding password storage for the system's online authentication. In particular, during the user registration process, a password must be created consistent with a length of 6 to 15 characters containing at least one number and one letter.
Such a length restriction implies that the password itself is being stored in your database(s) for purposes of validating authentication attempts. This is an insecure practice. A secure approach -- and industry best practice -- is to store a salted cryptographic hash of the password that does not require the actual passwords itself to be stored, but instead something derived from it. Please see the following document from the National Institute of Standards and Technology for more information on this subject: http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf
I would appreciate your comments regarding these issues at your earliest convenience.
Here's hoping that letters like this can start making password storage more secure -- especially in light of epic failures like the Sony breach!
No comments:
Post a Comment