Having spent today reading The definitive guide to form-based website authentication , I can understand Paul’s reaction after digesting an article that was written nearly 12 years ago.
Skipping all of the hype, a password has 3 states (2 if ‘remember me’ is not utilised), namely
- sending
- storing
- remembering
Sending
This is what the article states:
Unless the connection is already secure (that is, tunneled through HTTPS using SSL/TLS), your login form values will be sent in cleartext, which allows anyone eavesdropping on the line between browser and web server will be able to read logins as they pass through. This type of wiretapping is done routinely by governments, but in general, we won't address 'owned' wires other than to say this: Just use HTTPS.
In other words, when using a secure protocol, there is no need for a hashed password.
Storing
This is what the article says:
This may finally be common knowledge after all the highly-publicized hacks and user data leaks we've seen in recent years, but it has to be said: Do not store passwords in cleartext in your database. User databases are routinely hacked, leaked or gleaned through SQL injection, and if you are storing raw, plaintext passwords, that is instant game over for your login security.
If the database has already been hacked, the password should be if least concern. Who cares about login security when the data has already been exposed.
Remembering
This is what the article says:
Persistent Login Cookies ("remember me" functionality) are a danger zone; on the one hand, they are entirely as safe as conventional logins when users understand how to handle them; and on the other hand, they are an enormous security risk in the hands of careless users, who may use them on public computers and forget to log out, and who may not know what browser cookies are or how to delete them.
I used to think that the cookie would be a security risk and have even verbalised this in a previous topic (can’t find it). In that discussion @patrick advised me that the cookie was perfectly safe to use when using the Wappler procedure.
12 years ago when public computers were the go, logging out would have been a concern. Fast forward, with the advent of mobile devices, public computers are a rarity. Even so, this should not be a reason to not utilise a remember me function and has nothing to do with password hashing.
Conclusion
The only reason for password hashing is to stop hackers from using the password to access the data that has already been compromised. Makes no sense.
This reminds me of the bloke running from a clinic wrapped in toilet paper. When asked why the wrapping, he replied ‘I am full of shit’.