Sunday, November 13, 2011

Password security at Stoffi

Our new and upcoming cloud service includes the ability to create user accounts. In today's climate security is a highly debated and important topic.

We have recently seen how Sony got hacked and Valve's Steam service was just compromised. In the former case vital information was not properly encrypted. Here in Sweden a popular blogging website called had their database compromised a few weeks ago and they stored all their users passwords in clear text.

Do I need to tell you that here at Stoffi we take security seriously?

Encrypted communication
First of all I just bought us an SSL certificate which lets us offer a secure HTTPS connection. This provides both encryption and verification, so you know that any information sent is sent to us and that it is only readable by us. I will force the server to use a HTTPS connection at least during the login procedure.

Secure transmission
But I don't trust HTTPS completely. This year a CA server was compromised and there are known vulnerabilities in HTTPS and SSL. So that's why I have added an additional measure to enhance security during login and registration.

When you submit your password to our server (via login, registration or password reset) the passwords will be hashed using the SHA256 algorithm and salted with your email. If you look closely you will see that when you press "login" the password box changes as the password is hashed before it is sent to our server.

Secure storage
When your hashed password arrives at our server it is again hashed, this time using the SHA1 algoritm. Here we use a random salt along with a key stored in a configuration file on the server. This means that an attacker must get access to both the database and the server files in order to perform an offline attack.

Further, the hashing on the server side is digested 10 times which means that any offline attack will take 10 times longer.

Nothing is 100% secure
The worst and most unsecure thing is password reuse. If you use the same password everywhere then your whole online identity is only as secure as the worst website you have registered at. Make sure you use different passwords on different websites, or at least keep different passwords for the top most sensitive websites (for example Facebook, Google or PayPal).

Also remember that if an attacker gets access to your email account then he or she can just perform a password reset on any of your accounts, including Stoffi.

Stay safe!