Does your website store account passwords correctly? Would you tell everyone on the internet how you do it? Michal Špaček explains why you should and how to get an A+ grade from the Password Storage project.
We discuss hashing algorithms and the technology behind storing passwords securely. Learn why a company who follows the technical best practices might still not earn an A grade if they do not have a public disclosure, or if they rely on an Invisible Disclosure.
We compare the Password Storage project to other fantastic security tools, including SSL Labs and Mozilla Observatory.
Michal outlines how the grading criteria will change in the short term, highlights the desire to get more companies included in the data set, and contemplates how the project will continue to grow over time.
This episode was initially published in August 2019, the 5 year anniversary of Michal’s talk at BSides Las Vegas 2014, which planted the seeds that eventually grew into the Password Storage project. Happy birthday, Password Storage!
Social media & website
- Michal launched Password Storage at BSides Las Vegas in 2016. You can see the slides from his talk here.
- Bruce K. Marshall is a researcher and consultant dedicated to improving the application of authentication technologies, products, and good practices. He founded PasswordResearch.com to better share the password information he was collecting.
- You can find Bruce on Twitter @PwdRsch.
- Michal’s wrote an article titled “Upgrading existing password hashes” that explains how to gracefully migrate passwords hashed with a legacy algorithm to a secure and modern algorithm.
- To get your website listed in the Password Storage project, check out the FAQ.
What is The All Things Auth Podcast?
Every 2 weeks, Conor Gilsenan hosts a conversation with creators, researchers, founders, and advocates who are working to improve the usability of security and privacy technologies.
Guests share what they are currently working on, how they got to where they are today, who they are trying to help, and what keeps them motivated to overcome challenges along the way.
The goal is for the rest of us to learn from their experiences and go on to promote usable security and privacy within our own projects and organizations.