Thomas Ptacek’s response to Jeff Atwood’s post on storing passwords securely is going in my bookmarks for posterity. This post, actually both posts, should be required reading for anyone building secure web site.
Make that all developers, period. We should all have a basic understanding of how to store passwords securely, and how bad it can be if we don’t.
Some important lessons I learned:
- Never try to roll your own “cute” security algorithm or whatever. Just use the solutions professional cryptographers have spent their lives perfecting. Your little algorithm may remain uncracked for years, until one day your customers’ credit card numbers (or worse) start showing up on some web site in Bangkok.
- Always salt stored passwords before hashing to thwart rainbow table crack attacks.
This is good stuff.
