Dennis Forbes on Pragmatic Software Development   Subscribe to RSS


About the Author
Dennis Forbes is a Toronto-based software architect. While focused primarily on the .NET and SQL Server worlds, Dennis frequently ventures outside of this comfort zone into game development, Linux development, and image processing. He has been published in several industry magazines, has been quoted in the Wall Street Journal and has been interviewed by NPR.

He is a vice president and lead software architect at an innovative New York City hedge fund back-office services firm.

Dennis has been working on solutions for the financial, telecommunications, and power generation markets for over 13 years.


Recent Entries
Jan 08 - The Embarrassing HD-DVD Debacle And Blogging Exile
Dec 31 - The Best and Worst of 2008
May 21 - Imagine If Apple Acquired Sony
Apr 21 - Being "Bad" -or- The Startup Lottery Ticket
Mar 18 - The Hyperinflation of XMLSpy
Feb 22 - Fibonacci Numbers, Recursion, And Terrible Example…
Jan 04 - Hardware Reviews
Jan 01 - 2007 An Introspective Blog Year In Review
Dec 21 - Benchmark Driven Development - Lies, Damn Lies, an…
Dec 07 - Picking A Side In The HD-DVD vs Blu-ray War


The Feed Bag
Jan 08 - SanDisk's upcoming SSD is a game changer (CES)
Jan 08 - CueCat Part II
Jan 08 - Intel revenue plummets
Jan 07 - Why login attempt lockouts are important
Jan 07 - Unsubstantiated early applause for Windows 7 (AKA …
Jan 07 - Saved by the march of technology
Jan 07 - SOA is dead? Long live SOA!
Jan 06 - Toronto's skyline from 43km away
Jan 06 - A good recipe for project disaster
Jan 06 - This project is still ongoing? Schedule DNF in it.
Jan 06 - F# to ship as part of Visual Studio 2010
Jan 06 - No Market for Start-Ups
Jan 06 - Apple Dips on Lackluster Macworld
Jan 06 - End of Wall Street: What Happens Next (Video)
Jan 06 - Dr.Dobb's Journal Decamps From The Magazine Indust…

 
Saturday, December 16 2006
Realistic Trust -- On Reused Passwords

A bit of a ruckus has arisen over the purported breach of security at the groupthink site Reddit.

It seems that the Reddit folks were storing the user's passwords in plaintext, so a recent data loss or integrity compromise of some sort has them warning users to change their password just in case their backup tape -- if that story is right -- gets in the hand of the desperate-for-high-karma-Reddit-accounts drug cartels.

Many are calling this a blatant mistake on the part of the Reddit crew, declaring that password's should never be stored in plaintext. The Reddit crew and defenders have stated that the plaintext passwords are used to allow them to email the password to the user, which is a tenuous argument but I suppose they went for the KISS model (which is pretty much the modus operendi of Reddit. They recently rolled out a CAPTCHA implementation that is laughably vulnerable out of the gate, but it is the simplest implementation possible).

What is most disturbing to me, however, are the declarations that this is much more of a problem than Reddit alone. People are crying foul because they believe that their bank accounts, email accounts, and other online accounts are vulnerable now that the Reddit user database might be in the wild.

NEVER USE THE SAME PASSWORD ON MULTIPLE SITES.

At worst share passwords among throw-away type sites like Reddit. Never share passwords between sites that actually matter.

Let's say that Reddit actually did hash the password -- debatable if it's necessary for that site, and I have advocated advanced techniques for doing this before -- why in the world would you trust the folks at Reddit with this secret (all the hashing in the world does nothing if the people who are doing the hashing have nefarious motives)? Why would you trust the people who man their data centers, or the people who share machines with them or handle their backup tapes or provide their internet services?

There is no credible reason why a shared password in the hands of Reddit alone -- even if they cross-their-heart promised to hash it --should give comfort to someone who reuse the same password on sites of value. That is absolute insanity, and it is a very dangerous practice.

It's far more disturbing to me that people worry about more than their Reddit account in this situation.

If you must "reuse" passwords, use one of the many utilities available to hash your name or email address with the target site domain on the client side, (for that particular one -- note that it's just one of hundreds available -- you can use their website, Firefox or IE 6 or 7 extensions) actually generating a unique password for each site while only having to remember one password on your end. There are many clever implementations, but the one linked here, for instance, allows you to preface passwords with @@ and it automatically does client-side, site-specific hashing, meaning that your shared secret isn't dangerously shared with the people at random internet sites.

  Software Development 
Comments  Permalink

Reader Comments

I reuse passwords, but have three different ones depending on the importance of the information being gaurded. I use one password for "who cares" if compromised (Reddit probably fits), one for "I care, but would not be the end of the world" and one for "someone could assume my identity or steal my money if known".
Anonymous @ 12/17/2006 1:34:19 PM

Add Comment

Name *:

Email Address:

(your email address is not displayed)
Website:

Comment *:


Dennis Forbes