On Passwords

Jason — Sun, 21 Mar 2010 10:00:11 +0000

On a recent episode of The Dev Show Dan and I talked about passwords. In particular, the topic of password hashing came up. I’d like to say up front that I’m not a security guy and most definitely not a cryptographer. However, I don’t have to be because there are much smarter people who have already done a lot of work on encryption schemes and have done it much better than I ever could.

Above: discussion of best practices in passwords.

This should go without saying: you shouldn’t be storing your passwords in plain text in your database. Unless you need to be able to retrieve the password later, it should be stored in the database in a hashed format. Thomas Ptacek, a very highly respected security professional, explains all you need to know about passwords in this blog post. I’ll save you the trouble of reading the whole thing: just use bcrypt as your encryption scheme. It’s the slowest to generate the encrypted hash. By virtue of being slow to generate, it would also take a very long time to perform a successful lookup using rainbow tables. See that blog post linked for much more information and a thorough explanation.

Just how much longer does it take to generate? The following is a quick ruby program I whipped up to benchmark. It uses each encryption scheme to generate a password 50 times. The following was how long it took to run on my macbook using ruby 1.9.1-p378. You can grab the script here if you’d like to run it locally. It contains absolutely no tests which makes my inner Corey Haines frown:

  Password to hash: password
                    user     system      total        real
  MD5           0.000000   0.000000   0.000000 (  0.001443)
  SHA1          0.000000   0.000000   0.000000 (  0.001679)
  SHA256        0.000000   0.000000   0.000000 (  0.001308)
  bcrypt (3)    0.080000   0.000000   0.080000 (  0.086532)
  bcrypt (10)   4.550000   0.010000   4.560000 (  4.601996)

The differences between the (3) and (10) are the "cost" of generating the password. The documentation for the bcrypt gem summarizes that very well:

Takes an optional :cost option, which is a logarithmic variable which determines how computational expensive the hash is to calculate (a :cost of 4 is twice as much work as a :cost of 3). The higher the :cost the harder it becomes for attackers to try to guess passwords (even if a copy of your database is stolen), but the slower it is to check users’ passwords.

But I’m getting off topic. The reason I wanted to write this post was to create a list of popular open source software and see what kind of passwords hashing schemes are in use. Here’s the list I’ve compiled so far:

Django
Encryption Scheme: SHA1, MD5, or crypt
Notes: Previous Django versions, such as 0.90, used simple MD5 hashes without password salts. For backwards compatibility, those are still supported; they’ll be converted automatically to the new style the first time check_password() works correctly for a given user. More info:
http://docs.djangoproject.com/en/dev/topics/auth/
http://docs.python.org/library/crypt.html
MySQL
Encryption Scheme: Double SHA1
WordPress
Encryption Scheme: PHPass
Notes The awkwardly named PHPass library defaults to bcrypt (awesome) and falls back to DES or MD5 based salted hashes depending on the php version and supported features.
Expression Engine
Encryption Scheme: SHA1
Joomla
Encryption Scheme: MD5
phpBB
Encryption Scheme: Proprietary hash method using /dev/urandom and md5
ASP.Net Authentication
Encryption Scheme: Uses a concept of "providers".
Notes: There’s a BCrypt open source option available.
Rails: restful-authentication
Encryption Scheme: SHA1
Notes: This was the defacto standard for a long time in the Rails world as far as authentication goes. Changing the encryption scheme in an application would be a relatively painless process.
Rails: Authlogic
Encryption Scheme: bcrypt, aes256, md5, sha1, sha256, sha512
Notes: This is configurable to any of the listed options. Default is SHA512. The author doesn’t recommend using MD5 or SHA1 in the README but provides the options for migration and compaitiblity. How awesome is that?
Drupal
Encryption Scheme: MD5 by default
Notes: Christefano points out in the comments that MD5 is used by default but PHPass and AES are available via third party modules.

If you don’t see your favorite software here, either leave it in the comments or contact me and I’ll add it to the list. These are in no particular order, so I’m not trying to favor anything in particular (though we all know I’m mostly a Ruby developer).

Delicious Digg This Post Facebook Reddit This Post

No related posts.

Using Concentrate for the Pomodoro Technique on OS X

Jason — Mon, 08 Feb 2010 20:21:28 +0000

Concentrate is a Mac only app. It lets you do a number of things like block web sites, launch apps, play sounds, etc. Combinations of these things can be configured to go on for varying amounts of time. I use it for the Pomodoro Technique when programming. Corey Haines introduced me to Tomatoist when I paired with him during one of his journeyman tours. While that site is awesome, I prefer using the Mac app to force eliminate distractions.

The Pomodoro Technique

The root of the idea is that you program for 25 minutes straight and then break for 5 minutes. This seems like a pretty simple idea but when you’re working by yourself things can happen. For example, maybe you want to send a quick email to someone but want to refer to something in their Facebook account you can’t quite remember. So then you look it up. While looking it up you notice something else interesting by another one of your friends and the distractions start. By the end of the distractions you’ve ordered enough parts for a fully functional robot suit off eBay. If you only had 5 minutes to do this stuff, maybe that wouldn’t have happened.

Setting Up Concentrate

Concentrate is actually a very simple application to use. Click on the “New Activity Button” and set your options. I called mine "Program Pomodoro." It’s set to block any site that could potentially distract me, Growl a message, and play a sound on completion. The typical Pomodoro technique lasts 25 minutes so drag the location slider over until you see 25 minutes. Boom, good to go. Now you can’t look at anyone’s Facebook account or respond to any threads on hacker news for a good 25 minutes. You’ll get to that during your break.

The next task you’ll want to set up is the break. This is the most rewarding task. I just have this one Growl a message ("Get back to work!") and play a sound when it’s done. The duration slider should be set to 5 minutes.

Get To It!

That’s about it. It’s simple software and well worth the $30 to eliminate distractions. I use it only for those two techniques listed above and have been very happy. Special thanks to Corey Haines for introducing me to the Pomodoro technique.