3

I am currently reading a book on PHP/MySQL. I'm mainly interested in the hashing of passwords. The cleartext is converted into "gibberish" by md5/sha1 or some hash function and stored in the database. Fine I get that. Hackers, even if they gain access to the database still have the problem of finding the cleartext.

My question (which I hope isnt stupid) is, on most (or all come to think of it) websites that have user passwords, if the user forgets his/her password then the web admin will send it to the user's email. Ok, but how does the web admin have the cleartext password?

  • Do you use any of the websites that have login/password? Which one do you find most appealing regarding password recovery policy? Find one and emulate on that - and ask specific questions then - your current question is too philosophical and speculative... – Daniel Mošmondor Aug 11 '11 at 12:47
  • @Daniel "how does the web admin have the cleartext password?" is hardly a philosophical question, but yes it is speculative. However there are only so many ways they can have the password as cleartext... I can think of 3. – Adam Houldsworth Aug 11 '11 at 12:49
  • Unfortunately the question was quite stupid, as websites dont give users their cleartexts. For some reason I assumed they did. –  Aug 11 '11 at 12:52
  • @Adam - yeah, the question is fine, but it provokes not to answer it but to point out in another direction. For example, "what is the BEST HEX EDITOR for writing c# code?" would be similar to this. – Daniel Mošmondor Aug 11 '11 at 12:55
  • @Daniel well, I answered it with what I would hope normally happens when a website can provide you with your password. I think your analogy is a little off. I believe this question was entirely answerable, though you tend to get "most websites I know don't do this", or "he shouldn't!" - which is technically dodging the question. – Adam Houldsworth Aug 11 '11 at 12:56

6 Answers6

1

In cases where the password can be sent back to you, it has not been hashed - it has (hopefully!) been encrypted. Hashing is not a reversible action, in a broad sense. Once hashed, the only way to compare something to it is to hash that something in the same way and see if the hash is the same. You can never really "unhash" it.

In summary, it shouldn't be in cleartext. If they have it and can send it to you, it should be encrypted. Whether they should even keep an encrypted version is a point for a security consultant to debate. That said, it could be in cleartext. At the end of the day there is nothing special about "passwords", they are just character strings and can be stored as such - however because they form important keys to secure things, you hope they are handled properly.

The common way people think it should be done is to salt and hash it. I'm of the opinion this is the best commonly available way, if your hashing algorithm is good. There are things to be aware of, but it's way beyond the scope of this answer.

Best way to store password in database

Alarming story:

I once had a customer service representative from a broadband provider in the UK tell me what my password was... I get a little sketchy when people store my password in a reversible format, I get very concerned when they allow that password to be seen by customer service people, who are a point of weakness in secure systems. I have since left this provider for that very reason.

Community
  • 1
  • 1
Adam Houldsworth
  • 63,413
  • 11
  • 150
  • 187
0

I don't think I've ever seen a web site that does that. Normally what they'll do is send you a link which, when you click it, resets your password and sends you to a page where you must enter a new one. Some sites will send you a temporary password and urge you to change it. Note that in both cases, the web site doesn't need to have the original cleartext.

If I clicked a password reset link and was sent my original password in cleartext, I'd have a very low opinion of that web site!

Ernest Friedman-Hill
  • 80,601
  • 10
  • 150
  • 186
  • Come to think of it. I think you are right. They usually send a default one, right. I'm pretty sure I have seen my password sent back to my email from one or two sites though. –  Aug 11 '11 at 12:44
  • @JJG - in which case, they're probably not use a hash (you wouldn't do both) – KevinDTimm Aug 11 '11 at 13:02
0

All good websites don't send a password but a link to set a new password. That allows them to avoid cleartext passwords.

Karel Petranek
  • 15,005
  • 4
  • 44
  • 68
0

He can't - if you use a website that has the functionality of sending you your own password, you should consider switching to another site as this one is simply not secure and store password in cleartext. The only functionality that should be available is resetting the password to some random values.

kstaruch
  • 1,289
  • 7
  • 7
0

The web admin can provide you back your cleartext password only if either his hashing algorithm is weak, he has a way of retrieving your cleartext password, and has the capability to send you one back. Of course, if the password isn't hashed at all, then it's quite easy to send back your cleartext password. But why would you want one? As suggested by kstaruch, switch to another site since such site is very unsecure.

If the user forgets his password, then give the user an option to reset his password. And of course, before you give him that option, make sure to validate his identity first (maybe secret questions).

stacker
  • 61
  • 2
0

You WON'T store any password in clear-text or any form of the symmetrically encrypted password, unless you are targeting to be as popular as SONY someday.

First:

http://www.engadget.com/2011/04/26/sony-provides-psn-update-confirms-a-compromise-of-personal-inf/

Then:

How should i save my Password?

ALSO:

you should try to HASH the password at the client side, unless you are using https protocol, which could be overkill, but try to find some javascript HASH function that will enable you to send hash of a password to the server for verification.

Community
  • 1
  • 1
Daniel Mošmondor
  • 19,718
  • 12
  • 58
  • 99