Hi Andrew, Thanks for expressing your concern. Our method of dealing with passwords strikes a balance between convenience and security. In particular, we have elected to use reversible encryption in order to allow a "password reminder" feature. Using one-way (salted) hashing prevents this, allowing only a password reset. Deciding which method to use is a matter of judgment. It is our experience that many users find password resets confusing, and in most cases prefer the convenience of password reminders despite the slightly increased risk.
Our method of dealing with passwords is not as dangerous as you suppose, since an attacker would need both the RSA keys and the MySQL database, as well as the know-how to perform the decryption. Though not insurmountable, this is a higher barrier than simply needing the Rails directory, and the passwords would not be "immediately available" since they are encrypted in the database and are only decrypted when needed for logins and password reminders. As you guessed, compromising the passwords would require an actual server breach, so issuing a caveat in the documentation to the effect that "bad things can happen in the event of a compromised server" seems like an overreaction. As far as looking for guidance is concerned, the security design used by Insoshi does a service by showing how to combine the convenience of password reminders with the security of strong sever-side password encryption. If you have greater security needs, the "best practice" of using one-way hashes is widely available as part of the restful_authentication plugin. (I put "best practice" in quotes because such approaches are often overly conservative, doing security the "right way" without an appreciation of the inevitable tradeoff between security and convenience.) As always, we are open to suggestions. Switching to salted hashes would make migrating existing installations annoying, but the implementation itself would be easy. (In fact, restful_authentication uses salted hashes by default; it took quite a bit of work to get reversible hashing to work in order to enable password reminders.) If community members feel strongly that we should sacrifice password reminders for the increased security of one-way hashing, please let me know and we will consider migrating to that method in a future Insoshi release. Best wishes, Michael On Thu, Jun 26, 2008 at 6:14 AM, Andrew France <[EMAIL PROTECTED]> wrote: > > Hi, > > I follow the development of Insoshi from Github as I find it > interesting how other people accomplish things in Rails. I'm generally > impressed by the code structure and techniques but I believe the way > passwords are stored is a grave problem. > > As far as I can tell with the current password encryption system, if > the host server is compromised (specifically, an attacker accesses the > rails directory) every single password is immediately available. > Admittedly you are going to have lots of other problems if that > happens but even if the attacker adds code to transmit entered > passwords the damage would be a fraction of releasing every password. > > Sending passwords in plaintext back over e-mail is also a bad practice > as it is likely to significantly decrease the time required for an > attacker to compromise all of a user's accounts given the common > practice of password reuse. > > Please consider using salted hashes or something like the ruby-bcrypt > module. I am particularly concerned because I expect there are many > other programmers like myself who look at the Insoshi project for > ideas and guidance and they take away this dangerous method. At least > a mention of the significant caveat in the documentation would go a > long way. > > Best regards, > Andrew > > > -- Michael Hartl Insoshi social software http://insoshi.com/ --~--~---------~--~----~------------~-------~--~----~ Insoshi developer site: http://dogfood.insoshi.com/ Insoshi documentation: http://docs.insoshi.com/ You received this message because you are subscribed to the Google Groups "Insoshi" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/insoshi?hl=en -~----------~----~----~----~------~----~------~--~---
