My coworker and I are having a fist-fight civilized discussion over password security. Please help us resolve our differences.
One of us takes the viewpoint that:
- Storing passwords encrypted using a public key in addition to a one-way hashed version is OK and might be useful for integration with other authentication systems in the future in case of a merger or acquisition.
- Only the CEO/CTO would have access to the private key, and it would only be used when necessary. Regular login validation would still occur via the hashed password.
- I have/he has done this before in previous companies and there are many sites out there that do this and have survived security audits from Fortune 500 companies before.
- This is a common, and accepted practice, even for financial institutions, thus there is no need to explicitly state this in the privacy policy.
- Sites like Mint.com do this.
The other one of us takes the following viewpoint:
- Storing passwords, even in encrypted form, is an unnecessary security risk and it's better to avoid exposure to this risk in the first place.
- If the private key falls into the wrong hands, users that use the same password across multiple sites would risk having all of their logins compromised.
- This is a breach of trust of our users, and if this practice is implemented, they should be explicitly informed of this.
- This is not an industry-wide practice and no big name sites (Google, Yahoo, Amazon, etc.) implement this. Mint.com is a special case because they need to authenticate with other sites on your behalf. Additionally, they only store the passwords to your financial institutions, not your password to Mint.com itself.
- This is a red flag in audits.
Thoughts? Comments? Have you worked at an organization that implemented this practice?
Menu
