• A guide to designing Account Security Mechanisms

    The history of the Internet is rife with examples of compromises arising both from poor security hygiene, and also from misguided attempts to "make it more secure" without first considering the implications of changes.

    In this post, I'll be detailing some of the decisions you should be making when designing account security and user management functionality.

    There's likely little in here that hasn't already been stated elsewhere, but I thought it might be helpful to put it all together in one post.

    The post itself is quite long, so headings are clicky links to themselves. For those with limited time, there's a Cheat Sheet style summary towards the bottom.

  • Implementing Secure Password Storage with PHPCredlocker and a Raspberry Pi

    Password storage can be a sensitive business, but no matter whether you're using PHPCredlocker or KeePassX, dedicated hardware is best. The more isolated your password storage solution, the less likely it is that unauthorised access can be obtained.

    Of course, dedicated hardware can quickly become expensive. Whilst it might be ideal in terms of security, who can afford to Colo a server just to store their passwords? A VPS is a trade-off - anyone with access to the hypervisor could potentially grab your encryption keys from memory (or the back-end storage).

    To try and reduce the cost, whilst maintaining the security ideal of having dedicated hardware, I set out to get PHPCredlocker running on a Raspberry Pi.

    This documentation details how to build the system, a Raspberry Pi Model B+ was used, but the B should be fine too

  • Republished: Tips for fighting password theft

    Originally published on Benscomputer.no-ip.org Jan 2010.

     

    Password theft is a fast growing business, in the age of the internet a singular word or phrase is often all you need to verify your identity. Unfortunately this token is all that is needed for someone else to adopt your identity, and potentially commit fraud or criminal acts in your name.

    Everything seems to be online in this day and age, whether it's your bank, your mail or your shopping. Each of these require a unique login to identify you. Unfortunately usernames can be quite easy to come by, in fact on many sites your username is public (Ebay is a good example of this).

    So how do you protect yourself from this threat? Generally it simply requires a little bit of common sense. You wouldn't provide just anyone with a copy of the key to your house, so why do the same for your online persona?

     

  • Republished: Why you should never share Login Details

    Originally published on Benscomputer.no-ip.org Aug 2009.

     

    Anyone who works in IT in any form knows the headache, despite signing to say they wont, users insist on sharing their login details with everyone! Whether it's because someone else can't remember their own username or simply because it's easier than logging out.

    On occassion it happens because the user didn't lock their desktop before walking away, and someone else happens to need to use a PC 'quickly.'

    We all know it, users just don't care about security. Why should they? It's 'Your' network to look after, not theirs. This article is aimed at that particular group to try and highlight exactly why they should care.

     

  • Understanding Password Storage

    I occasionally receive emails from people who have come across PHPCredlocker, and the question is usually the same - "Why are you storing passwords using reversible encryption?". Most emails are polite, some not so much, but they all have one thing in common - assuming that a commonly stated fact applies to all scenarios, and failing to apply a bit of simple logic that would tell them the answer - because that's the only way the system would work.

    In this post, we'll be briefly looking at some of the ways in which you can store credentials, and which of them are appropriate to use (and when), in the context of building an application (web or otherwise).

  • Why You Shouldn't be using SHA1 or MD5 to Store Passwords

    There are a lot of badly coded sites out there, and far too many sites still seem to be falling prey to SQL Injection vulnerabilities resulting in a lot of high profile leaks of user data.

    I wrote quite some time ago on The Importance of Salting Stored Passwords And How To Do So Correctly, but whilst the underlying message remains correct, the techniques for doing so have been outpaced by technology.

    Although still widely used, checksum algorithms such as SHA1 and MD5 are no longer sufficiently secure.

    In this post we'll be exploring why you shouldn't be using MD5/SHA1 and how you should be storing passwords.