Passwords need a dash of Salt

Sunday, 10 Jun 2012

This week, a number of high-traffic sites had security breaches, including LinkedIn. Over 6 million accounts were compromised. Their customers’ login info showing up on hacker download sites. A high profile asset like LinkedIn is bound to be a target. The fact the bad guys got in is not that extraordinary. Given a high-enough reward, hackers can be a determined bunch.

The fact LinkedIn got breached does not mean anyone was necessarily asleep at the wheel. They got unlucky in a cat-and-mouse game. However, the low level of effort LinkedIn put into securing their customers passwords is extraordinary! This was a grad-level stuff up. Developers at LinkedIn should be embarrassed.

Always one for worrying about appearances, my marketing guy asked how secure our customer passwords are. Handling credit cards and online purchases is core to our business, so we take storing customer data seriously. Here is a crash course in password storage.

Hashing Passwords

For the really lazy (read “irresponsible”), passwords can be stored un-encrypted (known as “in clear text”). Its not worth going over why this is a bad choice. Generally, passwords are stored after being scrambled using a “one-way hash function”. These are well known and mathematically proven algorithms that are good at scrambling passwords.

If you used the password “secret” at LinkedIn (yes, some people did!) the scrambled (hashed) version was:


When users change their password, the scrambled (hashed) version is stored and checked next time they log in. Each user that used “secret” as their password had the above string stored with their username, not the actual password.

Using this approach, there’s no need to ever store the user’s actual password. If a hacker gets into your database, all they find is a scrambled sequence of characters and not the real password.

The key property that makes this work is one-way hash functions cannot be reversed (hence “one-way”). There is no good way to take the scrambled data and write a program that unscrambles it to generate the original password.

Using hashes like this, developers can say:

  • We never store the users password unencrypted
  • We use a one-way hash that is industry standard and cannot be reversed

Sounds secure! This is where it seems the guys stopped their password protection.

Hacking Passwords

The trouble is, hackers are resourceful and have been at this for years. While programs that unscramble hashed passwords are hard, its easy to write a different type of program. By taking a dictionary, hashing every word in it and saving the results into a database, the hackers job is now trivial. Not only is this possible, but its been done and such databases and programs are readily available. They’re called rainbow tables.

Now, with the scrambled passwords, all the hackers need to do is look up the rainbow table and find the original password. Programs to do this are really, really fast! As many people use common words for their passwords, this is a great way to breach a good percentage of users accounts. As LinkedIn have just found out!

Needs More Salt

While users can protect themselves by using strong passwords, website developers can also take a very simple step to make rainbow attacks futile.

Instead of just scrambling the user’s password, like “secret”, a long random number can be added to the password before it’s hashed. With a different random number for every account, even users who have the same password, the scrambled versions (the ones saved in the database) will be different from each other.

Now, if the hacker looks up hashed password in their rainbow tables, they won’t find a match.

Salted passwords will not stop a determined hacker getting access to a prized asset. A top quality dead-lock on your front door will not stop a thief from breaking a window to get in. But salted passwords are so simple to do, there is no reason not to. Just like you don’t go on vacation and leave the front door open. Unless your PR department needs the extra work explaining the unexplainable, make sure you’re doing a better job with your passwords than basic hashing.

What you can do as a product owner

There is no reason not to use salted password hashes. Its literally a few hours work to add a random number to your customers’ passwords before saving the hash to the DB. Just look at how fast LinkedIn were able to respond! If you want to give the hackers a harder time, you can run hash function a number of times. Its fast to execute, the user won’t notice a second or two increase in login and it defeats rainbow table attacks.

What you can do as a user

Don’t use the same password for all your accounts. At the very least, have different passwords for different types of accounts. For example, if you use the same password for all social networks, make sure you use a different password for your work email. And a different one again for you internet banking and PayPal.

Final word

Back in 1998, I was doing some work for the Australian and US governments around single processing. We had a few guys from the US here and I remember a particular conversation about security. It as a discussion about the merits perimeter vs multi-level security. Perimeter security fortifies the external walls and concentrates all effort making it as hard as possible for someone to break in. Multi-level security takes it as given that a penetration will happen and each system and information store needs to take localized and reasonable precautions to securing its own critical data.

The conversation with my US counterpart was intense but brief. The risk of having the outer defences breached vs the effort of taking reasonable precautions at every level make the economics simple. Secure all the way down was the obvious way to go.

A decade and a half later, after countless high-profile breaches, its pretty clear that relying on a “hard” exterior with “soft” interiors leads to one breach being catastrophic. Like a house of cards tumbling down, hackers cannot believe their luck when they get in and find easy pickings. Looks like LinkedIn are still learning.

Design Eye slides from Agile Australia

Tuesday, 5 Jun 2012

Wow! The Agile Australia conference in Melbourne last week demonstrated just how broad the uptake of “sensible” software delivery has been in this country. I spoke to people from all types of enterprises, people at all levels of the company. Startups to (previously?) lumbering corporations, CIOs to testers.

For those who enjoyed “Design Eye for a Dev Guy”, or missed it, I’m making a PDF of the slides available. Thanks for all the great feedback.


Build the Money Slides from ’09

Friday, 1 Jun 2012

Many people stopped me at the conference this week and I’ve been asked a few times to make these available, so here they are. Even though they’re a few years old now, the concepts, especially the EQ Matrix have stood the test of time. I’m working on a followup and how it applies in the context of Lean Startups. Stay tuned.



Negative Rhetoric as a “Tell”

Sunday, 4 Dec 2011

In poker, a “tell” is a small change in a player’s behaviour used by opponents to get an indication of the strength of their hand.

Similar tells come up in interactions all the time. If you look out for them, you can often detect someone’s intrinsic bias (we all have them). Its worth the effort because once you understand someones personal viewpoint, you have more effective conversations.

Next time you’re in a discussion and it feels blocked or going round in circles, try this: Listen to the juxtaposition of phrases on key issues and see which side of the issue is given the pejorative or negative wording. Here’s an example: When taking a stance on Google Android phones vs Apple iPhones, a common refrain from the Google camp is:

Android is open, iPhone is closed.

Steve Jobs in contrast preferred:

iPhone is integrated, Android is fragmented.

Both statements deliver the same intent, however, the negative inference clearly indicates the the speakers personal belief. A good way to check someone’s bias is to reverse or mixup the rhetoric and play it back to them. The response to the rewording will indicate willingness to accept new ideas and come to a shared understanding. Or, are they only interested in verbal point scoring.

You can also use the same concepts to balance you own messages and take the edge out of an argument. Instead of using good/bad wording for an issue, use good/good or bad/bad.

Android is open, iPhone is integrated.
iPhone is closed, Android is fragmented.

Be authentic in your conversations.

Here’s to the Crazy Ones

Thursday, 6 Oct 2011

Today seems like a better day than normal to make a change and start something. I’ve watched Steve Jobs and followed the ascent of Apple with respect and appreciation. Since Jobs’ returned to Apple, the journey has provided us all with perfect examples of product strategy, leadership and design. For anyone interested in these things, Jobs’ genius and Apple’s accomplishments define the way things should be done.

It saddens me to know that this particular era is coming to an end. The “come back” is officially over. The last chapter will be written by Tim Cook and his incredible team during the final transition.

To my own surprise, the loss feels greater than the end of a business story. The passion Steve had for touching lives through new products meant he’d only leave Apple if his health forced him. So we had to expect behind private doors that his resignation as CEO marked a final decline in his health. Knowing his time was passing did nothing to soften the impact of the loss of Steve as a human.

I feel diminished.

I didn’t have a Mac in the ’90s. Being a Unix guy, I longed instead for an all too expensive NeXTstation. But, I immediately loved the Think Different campaign because of the giants featured and for its timeless, human message:

Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo…

– Apple Inc, 1997

For me, and I expect others, this felt like I was being pulled, compelled to dare. We were often in trouble at school; we focused our energies in things we loved; we ignored things we could avoid; time meant nothing compared to getting it done; almost finished was just as bad as not starting. If you could not keep up, you’d get left behind.

We now know, the Think Different campaign marked the turning point for Apple. Sales of the new iMac on the back of this ad began the revival. But, maybe deliberately, this ad campaign seems as much for the staff at Apple as it was to re-raise the awareness of Apple in the market. It was a call to action for Jon Ive and all the rest that if Apple could re-focus to innovation, become an entire company of crazy ones, they could do great things. And it worked.

Over the next decade, Steve (re?)created a culture where no respect for the status quo was not only desirable, but required. A belief in humans to be their best. A haven for those uncomfortable with compromise.

In an industry stereotyped with pejorative adjectives like “geek” and “nerd”, implicit with a imbalance of machine over man, its with an dose of irony that the Apple’s success is based on two human elements: focus on the user experience and a culture of continual rebellion and perfection.

Steve Jobs was an inspiration for many. Everyone has their own take on what made him insanely great. Steve has thrilled us with beautiful details from typography, to aqua buttons and rubber-band scrolling. These differences don’t speak to anything truly unique.

Misfits and rebellion are one thing. But there was a greater appeal in the Think Different ads: The people featured were giants. We all have our own strengths. When we have the knowledge to critique another’s work, it makes it easier to judge someone as being better than us. But then there are those men and women who stand so tall in their field you have to take note.

I’m no boxer, nor do I have a love for watching it. I do know a little of Ali’s life. But when I watch “When were Kings”, I weep for joy. To see Ali in his prime in that movie is glorious. In every field of human endeavour, the giants have something to teach us about our own lives. Our own paths.

This for me is the true beauty and power of those ads.

In 2005, Steve Jobs gave a commencement speech at Stanford and told three short stories. In this speech, he gives us insight into what drove him. But in the perfect simplistic style of Apple’s products, the takeaway is simple and elegant and fun:

Stay hungry. Stay Foolish. – Steve Jobs, 2005

This is how we can all be giants if we dare. It worked for Steve.

My sympathies to Steve’s family. Best wishes too all the crazy ones at Apple.