[sounddust]

From a security standpoint, there is no difference between storing the password in plain text, and storing it encrypted with the keys on the server to decrypt it. It's like saying that having an unlocked safe is not the same thing as having a locked safe with the keys left in the lock. Why should the OP make the distinction?

[anatoly]

Because there is a difference. Sure, academically, and positing an ability to break into anything, encrypting the passwords and retaining the key is useless. But realistically, I can think of a few ways off the top of my head where the difference might matter.

For example, you could have a dedicated decryption server holding the server-side key, carefully isolated from the rest of the internal network, its only channel of communication a single socket with request/response on decrypting passwords for password recovery. It could have rate limiting built in, and a storm of alerts to go off if backends request too many decryptions.

[tarmac]

You're assuming the keys are the only way to get into the safe. There you go again with flawed reasoning.

What if I drill into the safe and open it in a different manner?

ANY type of security has it's weaknesses. The only way is to add layers of security to make it harder to crack.

[sounddust]

Sure, I think everyone on HN agrees that any type of security has its weakness. What we are discussing here is whether 37signals is inadequately handling users' data by storing passwords in plain text, and the argument is that there is no difference in the level of security of "encrypted" passwords if the server has the key to decrypt them.

In other words, even if the author found out before writing the article that 37signals was storing users' passwords encrypted (instead of hashed), then he still would have written his article, and we would still be just as concerned as we are now.

You seem to be arguing against a point that no one is making.

[ErrantX]

layered security is not the answer - if the weakness is elsewhere in your application then potentially passwords can be extracted in other ways (people run straight to SQL injection as the main source but any decent cracker will be able to explore other options).

Hashing and salting a password removes absolutely ewvery security weakness in terms of directly extracting the password. No need for layered security and potentially complex uneeded encryption/decryption in your app. Safe, secure. end of the matter :)

[rythie]

"Hashing and salting a password removes absolutely ewvery security weakness in terms of directly extracting the password. No need for layered security and potentially complex uneeded encryption/decryption in your app. Safe, secure. end of the matter :)"

It is seriously worrying that you believe this.

Cracking hashed passwords offline is no big deal on a single machine unless you have really strong password policy - you know, the type of password no real regular user would even enter.

[ErrantX]

you think? I'll give you a 4 character password correctly salted and hashed with Sha1 and would like to see you crack it ;)

Allowing password security to depend on what the user enters IS silly - but who would! 32haracter salts and sha256 is going to produce a fairly uncrackable password.

Even if you know the salt and the salting algorithm (because simply appending a salt is also silly) it can still take a while :)

Im not talking about just sticking "MYSECRETSTRING" on the end of every password and sha1-ing it :)

[ErrantX]

Ok to prove what I am talking about (because it is only fair I do). Here are four 4 character password correctly hashed and salted.

6fe4bc5a51a3967a3a5e8d2f2baadd08db8cfa87934d88c142b7f89a

2faf5762d544eafaea9792e90660bfd224ffda2bb5f4dd4435a011ba

86096426b8cef5ebbf438a3f743b955100a4a0b4f72593af7485a1bb

0522e582fb1186fb79934998be7ee04f6c4a607009218fa3c35cffc6

The hash algorithm used is sha1. The salting scheme uses a randomly generated salt and a known salting roation. I gave you 4 to give you fair chance to work on them. I'll give you more if you want. (there is no way to brute force these BTW so dont really bother :))

[rythie]

So basically the algorithm is in the code, so anyone who has ever seen the code knows the algorithm, which you can't change after you have actual users. Any ex-employee could take a copy of the verify function and a dump of the database and hack it home. Similarly a cracker who gets a DB dump of the passwords will probably get your code too.

Running sha1() in PHP on each of the 98569 words in /usr/share/dict/words takes 1 second on my laptop. Appending all of the numbers 1-100 to each of those, not surprisingly ups the time to about 1m40s. You'll probably get quite a lot of users with passwords like that.

[Hexstream]

But encrypting the passwords with a key on the server is an additional "layer of security" that doesn't actually making it harder to crack. You're just adding complexity for naught.

[m_eiman]

It prevents you from getting the passwords with an SQL injection attack (or by reading the users.txt or whatever storage is used for the user list), so it does add protection.

[Hexstream]

Ok, I was assuming the attacker had full access to the server.