2011-05-09

Protecting your users passwords no matter what type of service

The recent attacks on the Sony Playstation Network showed that even the biggest of companies fail to uphold high security and protection of the users information.

The most important part of an account is the username and password since it allows you to log in to that account and make purchases or other monetary transactions. It is also a very important that the password is kept safe because it is very likely that the user is reusing the password for different sites and services.

If the hacker gets the hold of the e-mail address along with the password it is probably not rare that she can use the same password to log in to the users e-mail account. With a couple of searches it is the possible to get access to other accounts and financial information.

So even if you are building a small system that has limited functionality and you think that your system wont be damaged so much if a hacker breaches the security then think again. If the hacker can get hold of just a couple of passwords she can probably use that information to get access to other services. If this is an internal corporate service you can not take any risks since many attacks come from the inside.

Security related algorithms are constantly replaced by newer more secure ones so when you are building a new service or web page that captures the users password make sure that it uses the latest and greatest algorithm.

At the time of writing SHA-256 seems to be the recommended hashing algorithm but there seems to be a new one called SHA-3 just around the corner. When you hash your users passwords do not forget to put some salt in it.

No comments:

Post a Comment