Passwords, salt and cookies

Created 18th September, 2007 06:59 (UTC), last edited 18th September, 2007 07:38 (UTC)

So far I know a few things about the in-database password based authentication in FOST.3™¹ [1FOST.3™ supports a few other authentication schemes which are more secure.]:

  1. Storing passwords as clear text is a terrible idea. We don't do that (any more).
  2. The scheme we're using (with a GUID as the salt and a SHA1 hash) is not as good as it could be, but probably better than most people use.

As Thomas Ptacek says, the scheme used makes rainbow table attacks useless, but it does nothing to stop brute force attacks on weak passwords (despite what Jeff Atwood thinks).

What nobody seems to have discussed so far is what you put in the cookie. I think that an extra round of SHA1 would be good (maybe with an extra salt and possibly including the IP number in the hash), but I suspect a random string might be better (although getting a true random string from a computer is not easy).

What I do know for sure though is that although I'm not qualified to come up with a proper scheme, the current practice of putting the password in the cookie is an awfully bad idea.