Saturday, May 5, 2018

Security of passwords

Thanks to Twitter, I had to spend about an hour yesterday changing various similar passwords on a whole slew of sites. While a pain in the neck, probably wasn't a bad thing for me to do.

You may wonder if MyFlightbook suffers the same problem. The answer is "no."

I'll get into some more technical details at this point, so everything that follows is really only interesting if you care about such arcana.

Like Twitter (and industry standard), passwords on MyFlightbook are "hashed" before being saved into the database. That is, a one-way encryption operation is performed, which is mathematically non-reversible.  (Generally this involves "salting", which adds data to the password, and other one-way mathematical functions from which you can't derive the inputs given the output.  In MyFlightbook's case, I use the HMAC SHA1 hash.) 

The result of this operation is what's stored in the database; your password is NOT recorded anywhere on the website.  This is why if you lose your password, I can reset it for you, but I cannot recover it for you.

When you sign in, I perform the same operation on the password that you provide and compare the result from that with what's in the database to see if it's a match. Twitter's bug was that they logged the password in a file somewhere before doing the hash; MyFlightbook doesn't ever store this.

The mobile apps (iOS and Android) are slightly different in that they do keep your password on the device; they do this in order to periodically re-authenticate on your behalf, or to sign-in to the website.  On these devices, however, the operating system provides a secure/encrypted "sandbox" in which the app plays.  In other words, if somebody had a hack that could penetrate into the sandbox, then access your MyFlightbook password would be the least of your problems.

For most operations, the mobile apps do not need to send the password to the server.  Instead, when you authenticate, they provide your email/password to the server, which then sends back a "token" that says "you're authenticated."  Subsequent operations like uploading flights or retrieving totals then pass that token to the server, which accepts it as proof of identity.  The apps periodically refresh their tokens.

It's important to note that ALL communication that includes a password is always over a secure channel (https), whether this is using the web site or a mobile app.  This ensures that your password cannot be sniffed.

There are some places where the mobile apps need to send you to the website, and must authenticate you in doing so.  In these cases, it passes your email and password to the website over a secure channel, which then redirects you (removing the password) to the requested page.  For example, if you are using the mobile app and want to view your progress towards a given rating, the app will pass your email and password to the website, which will authenticate you and then switch over to the Ratings Progress page, stripping your email/password.  All of this is over https, so stripping it is unnecessary to avoid snooping, but stripping it also means that it won't be exposed in the URL of the page being viewed.

No comments:

Post a Comment