Bozhidar Bozhanov

About Bozhidar Bozhanov

Senior Java developer, one of the top stackoverflow users, fluent with Java and Java technology stacks - Spring, JPA, JavaEE. Founder and creator of Computoser and Welshare. Worked on Ericsson projects, Bulgarian e-government projects and large-scale online recruitment platforms.

Verifying Secure Password Storage Externally

Many websites (including big ones like Adobe, Yahoo, LinkedIn, Gawker, etc.) store user passwords insecurely. Either in plain text, or encrypted (reversible), or using a broken or brute-forceable hash function. Many websites continue to be built with poor password storage mechanism.

So what? Well, if the database leaks somehow (and it obviously happens, see the link above), then users are in trouble – not only their accounts on the problematic site is compromised – many of their accounts around the web may be compromised, because of the natural tendency of users to reuse passwords. So if your site is broken, it’s not only about you – it’s about your users’ other accounts, and that alone means the matter is very serious.

We know how to implement it, yes – use bcrypt/PBKDF2/scrypt. We know, but many people don’t. So I thought it may be good to give good websites a way to prove to their users that they take the password issue seriously.

So I created SaltedHashed.com (as a weekend project). It requires website owners to expose their password-storing mechanism as a REST-like API endpoint, which my service invokes periodically to check if everything is ok. The invocation consists of a random-generated password, and the website must respond with the algorithm it uses, together with the final form of the password that is stored in the database.

After the process is successful, the site gets a badge (like those “Valid XHTML”, “Valid CSS”, “Secured by VeriSign”, etc. badges that we (used to) have) which says “We store passwords securely” and links to a page that gets the up-to-date status of the site and explains the user why this is important. It’s not much, I know, but it has the tiny chance of raising awareness of the issue, and that’s important.

The only algorithms that are recognized as secure are Bcrypt, PBKDF2 and Scrypt. SHA-512 isn’t. No simple hashing function is. Encryption is not allowed (because it is reversible, and if the attacker gets ahold of your key, all the passwords are revealed).

The solution is not bullet-proof – someone might expose a dummy Bcrypt endpoint, while still using plain-text passwords, but as noted in the docs – why would you not use functionality that you’ve already implemented for the sake of being “compliant”? In general, I think the effort on the side of developers, in order to expose the endpoint, is minimal.

The project is on GitHub. It’s written in Java, with Spring MVC. MongoDB is used as a database. It is currently deployed on OpenShift (RedHat’s PaaS) mainly because it’s easy to setup and is free. (Note: I obviously need a better designer to at least fix the badge and make the site less ugly, even though Bootstrap minimizes the change for a developer like me to make a really ugly thing). Authentication on saltedhashed.com is done only via Mozilla Persona – 3rd party authentication which doesn’t require storing passwords on my end (something I’d actually recommend to all websites).

I’m trying to address a small, but important problem. I hope I’m helping improve the situation at least a little.
 

Reference: Verifying Secure Password Storage Externally from our JCG partner Bozhidar Bozhanov at the Bozho’s tech blog blog.

Do you want to know how to develop your skillset to become a Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

JPA Mini Book

Learn how to leverage the power of JPA in order to create robust and flexible Java applications. With this Mini Book, you will get introduced to JPA and smoothly transition to more advanced concepts.

JVM Troubleshooting Guide

The Java virtual machine is really the foundation of any Java EE platform. Learn how to master it with this advanced guide!

Given email address is already subscribed, thank you!
Oops. Something went wrong. Please try again later.
Please provide a valid email address.
Thank you, your sign-up request was successful! Please check your e-mail inbox.
Please complete the CAPTCHA.
Please fill in the required fields.

Leave a Reply


five + 5 =



Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.
Do you want to know how to develop your skillset and become a ...
Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

Get ready to Rock!
You can download the complementary eBooks using the links below:
Close