[conspire] Password storage (was: Conspire Hey!)

[Rick Moen]

I cited:

> http://www.wired.com/threatlevel/2012/07/yahoo-breach/
> 
>   Report: Half a Million Yahoo User Accounts Exposed in Breach
>   By Kim Zetter
>   07.12.12, 12:19 PM

Looking closer, one sees:  Article claims that intruders stole a set of
0.5M passwords all at once, via a SQL injection against a back-end
database server against Internet blog site 'Yahoo Voices' (formerly
named 'Yahoo Associated Content'), which permitted retrieving a huge
SQL table of Yahoo username/password pairs.

There are a couple of interesting parts of that.  

1.  Yahoo wasn't bothering to do input sanitising.  If random stranger can 
hit your Web site with funny-looking HTTP queries from the public
Internet containing SQL commands _and_ the Web site moronically accepts
those commands and passes them along to a security-sensitive back-end
database _and_ the SQL Web site then cheerfully sends back sensitive
information to nobody-in-particular, then, as the saying goes, You're
Doing It Wrong.

2.  (worse)  Yahoo was storing sensitive passwords in _plaintext_.

You never, never, ever do that.  That's a chump error.  (If you are able
to get security-sensitive passwords[1] looked up and mailed to you, for
example, then somebody is making a chump error with your data.)

In Unix, we store password hashes generated with strong symmetric
encryption.  And, because that's not good enough, the passwords use
'salting'[2] to hinder bulk-decrypting.  

Yahoo said it responded to news of that _particular_ password breach 
by resetting all of the revealed passwords and notifying users (last
July).  _However_, the point is that the company has obviously been
having problems and has made at least one serious security-design
blunder.


[1] No, your subscription password on a Mailman mailing list is not a
security-sensitive password -- and you are advised of this when you
join and any time you change it.

[2] https://en.wikipedia.org/wiki/Salt_(cryptography)