Re: Regarding password management

On Fri, May 2, 2014 at 1:37 PM, Ian Jacobs <ij@w3.org> wrote:

>
> On May 2, 2014, at 10:43 AM, Eric Mill <eric@konklone.com> wrote:
>
> > Why aren't you able to share this information?
>
> Hi Eric,
>
> Thanks for writing to us.
>
> It is not our understanding that it is industry good practice to share
> details about password management.
>
> However, if you are aware of good practices in this area that you'd like
> to refer us to, we'd welcome the pointers. Thanks!
>

Sure. Sharing the methods one uses for password management is definitely an
industry best practice. Truly secure systems are secure even when every
aspect of their working is known.


Eric Lippert articulated this very well:

http://blogs.msdn.com/b/ericlippert/archive/2005/01/28/you-want-salt-with-that-part-one-security-vs-obscurity.aspx

"A strong authentication system should be resistant to attack even if all
of its implementation details are widely known. The time and resources
required to crack the system should be provably well in excess of the value
of the resource being protected.

"To put it another way, the weakest point in a security system which works
by keeping secrets should be the guy keeping the secret, not the
implementation details of the system. Good security systems should be so
hard to crack that it is easier for an attacker to break into your house
and install spy cameras that watch you type than to deduce your password by
attacking the system, even if all the algorithms that check the password
are widely known. Good security systems let you leverage a highly secured
secret into a highly secured resource."


And for the record, here's how a web app I manage (
https://scout.sunlightfoundation.com/) stores users' passwords:
https://github.com/sunlightlabs/scout/blob/master/app/models/user.rb#L164-L169

It uses BCrypt (http://bcrypt-ruby.rubyforge.org/), a widely used open
source encryption algorithm.

-- Eric


>
> Ian
>
>
> >
> >
> > On Thu, May 1, 2014 at 5:16 PM, Jérémie Astori <jeremie@w3.org> wrote:
> > Hi Eric,
> >
> > I am sorry but I am not able to share this information.
> >
> > Regards,
> >
> > Jérémie
> >
> >
> > On 29/04/14 11:35, Eric Mill wrote:
> > Please respond, here or publicly, with the password encryption and
> salting
> > methods that were in place for the passwords which were improperly
> accessed.
> >
> > You need to give affected users the ability to gauge the severity of the
> > breach, and their course of action in response.
> >
> > -- Eric
> >
>
> --
> Ian Jacobs <ij@w3.org>      http://www.w3.org/People/Jacobs
> Tel:                       +1 718 260 9447
>
>
>
>


-- 
konklone.com | @konklone <https://twitter.com/konklone>

Received on Friday, 2 May 2014 19:42:37 UTC