As consumers of online services, it becomes easy to take for granted that the information we provide when registering for well-known web sites is stored safely and securely. But what about a web site created by a smaller company like yours truly? In this blog post, I will provide a specific example of why web sites created by large companies are not inherently more trustworthy, followed by an overview of the options software developers have when storing sensitive information like user passwords. Finally, I will discuss the choice we made when we created Lottery Answers, and why we made it.
It seems that each new week brings news of more Sony web sites being hacked. If you recall, in late April, information for over 100 million user accounts was stolen when hackers gained access to the databases behind Sony’s PlayStation Network and Sony Online Entertainment.
Since then, hackers have attacked various regional Sony web sites, but the latest attack is notable for a very specific reason: the passwords for over 1 million user accounts were stored in plaintext, which means they were stored exactly as the users entered them, unencrypted in any way. When you consider that many people use a single password for all of their online accounts, including their email and banking, it becomes very clear how bad this situation is.
For consumer web sites, there are three primary methods for storing user passwords: plaintext, encrypted, and hashed. Sony has provided a perfect example of why plaintext passwords should never be stored, so nothing more needs to be said about this method of storing passwords.
Encryption can be used to store a password securely, but encryption is a two-way street, and an encrypted password can be decrypted if the attacker also has access to the cryptographic key. Is this safe? Consider that if an attacker has gained access to the database, there is a good chance they also have access to the application files that are used to run the web site. Even if this is compiled code, it can be disassembled, and someone snooping through the code could determine what the key is, instantly revealing every password in the database.
Finally, we can use a method known as hashing. When a password is hashed, the result is something that doesn’t look anything like the original password, much like when the password is encrypted. Hashing, however, is a one-way process. You cannot “un-hash” the hashed password, which removes the weakness of having a single key that would give an attacker access to every password in the database.
When we created the Lottery Answers web site, we made the decision very early on to store passwords as securely as possible, which means we hash passwords before saving them to the database. Lottery Answers isn’t a likely target for hackers, but knowing that people tend to reuse their online passwords, we absolutely, positively did not want to be “that site”, the one that got hacked and had their users’ passwords stolen. We know many of you personally, and we would never want to be responsible for putting your online security at risk.
