A reminder on passwords

Passwords are used for a wide range of services. Every time I explain passwords to students, I strongly encourage them to never, ever design a software that stores passwords as clear text inside a file. Storing clear text passwords is a recipe for disaster. We’ve seen dozen myriads of websites having their “secure” password file being hacked. Since the publication o Password security: a case history every computer scientist should know that passwords should be hashed before being stored in a file, even if the file is protected by strict permissions. This is the default solution on Unix since the early days and has been adopted by all derivatives.

Over the years, the hashing technique has evolved to make it more difficult for an attacker who managed to retrieve the file containing the hashed passwords to invert them to recover the orginal ones. A nice summary appears in Practical UNIX and Internet Security, 3rd Edition by Alan Schwartz, Gene Spafford, Simson Garfinkel.

With hash functions, it is difficult but not impossible for an evil hacker to recover the original passwords from the hashed ones. Recently, someone recovered the hashed password used by many of the early developers of Unix. Given that the hash function used at that time was much simpler than today, those decades-old hashed passwords have been recovered, except Bill Joy’s password. See UNIX Co-Founder Ken Thompson’s BSD Password Has Finally Been Cracked for additional information and remember, never design or implement a system that stores passwords as cleartext.

*This blog post was written to inform the readers of Computer Networking: Principles, Protocols and Practice about the evolution of the field. You can subscribe to the Atom feed for this blog.

Written on October 16, 2019