How easy to make security mistake

Posted 2015-03-27 15:21:52

Today I will give an example of how easy it is to make mistakes when it comes to website security.
It is a standing recommendation to NOT invent your own security system but use what is already around.
For example there are several php implementations of Bcrypt that can be easily found using google and downloaded for free.

Use Bcrypt instead of inventing something of your own!

The guy writing this tutorial makes a mistake in the password checking algorithm which makes the setup alot weaker than expected.

The intention as written in the tutorial was to used both sha1 and md5 to secure the password. But for some reason the password is stored in the sql database only using sha1. Md5 is used only when checking the password as in the following pseudo code.

md5(sha1($password_from_login_request)) == md5($sha1_hashed_password_from_database)

So what is wrong here? Well, why do we store a password hash in the database instead of the storing the password itself? The attack we try to mitigate is if some hacker gets hold of the database, then the hacker should not be able to retrieve the passwords. Using double hashing like sha1 and then md5 is much better then just using sha1 or md5. But even better would be to use bcrypt.

Anyway since the password is stored using only sha1, if an attacker gets hold of the database it is only the sha1 hash that protects it. Not the sha1 and md5 as was intended.

There are two lessons to get here, one to the writter of tutorials and one to all of us reading these tutorials. First, if you write tutorials don't write about website security unless you know for sure that you know what you talk about. There is a great risk that you spread false information and actually contribute to making the web a less secure place. And that is BAD!

And to you who read tutorials, don't trust anything related to security unless you can get it confirmed from several sources. This means that you have to read quite alot to get correct and confirmed information regarding website security.

That's all for today, thanks for reading and hope to see you soon again.