Comments on: When you have to store user passwords… http://www.coffeepowered.net/2009/12/15/when-you-have-to-store-user-passwords/ code and content Tue, 24 Aug 2010 01:23:07 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: mobileAgent http://www.coffeepowered.net/2009/12/15/when-you-have-to-store-user-passwords/comment-page-1/#comment-282 mobileAgent Sun, 27 Dec 2009 13:41:17 +0000 http://www.coffeepowered.net/?p=203#comment-282 You might also like the lucifer plugin which has worked well for me in the past: <a href="http://github.com/jmckible/lucifer/" rel="nofollow">http://github.com/jmckible/lucifer/</a> You might also like the lucifer plugin which has worked well for me in the past: http://github.com/jmckible/lucifer/

]]> By: Chris http://www.coffeepowered.net/2009/12/15/when-you-have-to-store-user-passwords/comment-page-1/#comment-272 Chris Wed, 23 Dec 2009 02:42:56 +0000 http://www.coffeepowered.net/?p=203#comment-272 Absolutely. As I noted in the article, that won't protect you against a shell access compromise. Nothing can, really - if an attacker can get the same access to your code that your app can, he can get access to your key files or passphrases, unless you use a system where they're loaded into application memory and then removed from the filesystem (something like a USB key, for example). At that point, they'll have to resort to gdb, which is a somewhat tougher nut. ;) It will, however, protect you from simple SQL injection attacks resulting in the attacker gaining all of your customers' plaintext passwords. It's not a perfect solution by any means, but it is a first line of defense. Absolutely. As I noted in the article, that won't protect you against a shell access compromise. Nothing can, really – if an attacker can get the same access to your code that your app can, he can get access to your key files or passphrases, unless you use a system where they're loaded into application memory and then removed from the filesystem (something like a USB key, for example). At that point, they'll have to resort to gdb, which is a somewhat tougher nut. ;)

It will, however, protect you from simple SQL injection attacks resulting in the attacker gaining all of your customers' plaintext passwords. It's not a perfect solution by any means, but it is a first line of defense.

]]> By: Prefect http://www.coffeepowered.net/2009/12/15/when-you-have-to-store-user-passwords/comment-page-1/#comment-260 Prefect Thu, 17 Dec 2009 02:24:53 +0000 http://www.coffeepowered.net/?p=203#comment-260 It appears you are using AES encryption of the passwords, which would work well if all someone had was the output, for example the output of a database table of user credentials. Except in the rockyou.com case, the actor had shell access (read access to the code the application used, along with that key equals value). It appears you are using AES encryption of the passwords, which would work well if all someone had was the output, for example the output of a database table of user credentials.

Except in the rockyou.com case, the actor had shell access (read access to the code the application used, along with that key equals value).

]]>