Surprised Stick Figure

UPDATED April 2, 2014: This was an April Fools Joke. Read. Laugh. Learn. And don’t store your passwords in plain-text. It’s a horrible idea.

As Stormpath is a security company, specifically focusing on user management — we often get questions about password hashing, database security, etc. Since we get asked about password hashing so frequently, I figured I’d take a few moments to disclose my full thoughts on the subject as it stands today.

Plain Text Isn’t That Bad

Firstly, I want to clear up any misconceptions: storing plain text passwords isn’t that bad.

Even if you store every user’s password in plain text — as long as you’re using Linux — there is very little difference between storing hashed passwords and plain text passwords.

As a matter of fact, there are quite a few benefits to storing passwords in plain text:

  • Less Computing Resources: Many secure password hashing algorithms (like bcrypt and scrypt) require a lot of resources to compute (CPU, memory, time, etc.). When you perform actions like registering a user, or logging a user into their account, these requests are slower as the server needs time (and resources!) to compute these hashes. Every millisecond counts when your user is logging in from their iPad.

  • Scale: Got a lot of users creating accounts or logging into accounts concurrently? You’ll need large servers so you can compute the password hashes efficiently. This costs money you could better spend elsewhere.

  • Speed: You have to write code to hash passwords. This requires engineering time — and many people mess it up (even great engineers). Few people even understand the crypto side of things (us included!).

  • No False Sense Of Security: If your database is hacked, and password hashes are leaked, you still run the risk of sophisticated attackers bruteforcing the password hashes anyway.

  • Future Proof: When quantum computing becomes a “thing”, password hashing won’t matter anyway.

While it’s true that if your database is hacked, plain text passwords make the attacker’s life really easy — at that point, does it even matter? You’ll be out of business (and likely, a job) anyway.

Don’t Focus on Hashing, Focus on Infrastructure Security

Security Man

I’d like to propose that instead of spending time and energy worrying about what password hashing algorithm you’re using — focus that effort on your database and infrastructure security instead. This is an argument for efficiency: if your database and infrastructure are sufficiently locked down, attackers will never be able to gain access to your password database in the first place.

By spending a few minutes auditing your server and network security (firewall rules, etc.) you can eliminate 99% of the common attack vectors.

I’m Not the Only One!

If this still sounds crazy to you, don’t just take my word for it. Lots of huge companies agree with me. Even Credit Karma (one of the largest free credit reporting sites) stores their passwords in plain text. Do you think they’d do that if they didn’t have a good reason?

They’re regulated by various financial and personal information laws, and still use plain text. So it obviously can’t be that bad of an idea. In fact, by one estimate, up to 30% of companies store, transmit, or backup passwords in plain text.

If you’d like to see a list of other big companies storing their passwords in plain text, please check out this awesome site.

As you can see, I’m not alone in my opinion.

One Final Point

Incredulous Steve Jobs

April Fools. Ok, listen. We were going to let this post ride without the reveal but we were scared some joker would get to the end and think, “Great idea! These guys are really onto something!” and then build out his new BitCoin exchange with plaintext passwords.

Storing your passwords in plain text is… a horrible idea. No matter how great your infrastructure security is, attackers WILL get access to your password hashes (one way or another!)..

As a developer, protecting your user’s information is incredibly important. When users sign up for your application / service / etc., they’re trusting you to protect their information.

By storing passwords in plain text, you are directly breaching that implicit user trust.

If you want to store user passwords in a secure manner, there are obviously many things you need to do:

  • bcrypt all passwords as soon as they are received (with a high complexity factor).

  • Don’t log passwords — anywhere.

  • Ensure the database(s) your password hashes are stored in are as locked down as possible. This includes user accounts, firewall rules, etc.

  • Make sure any database backups you take are stored in a secured, non-publicly accessible location (many people end up leaking passwords via backups).

Here at Stormpath, we do all of these things (and a lot more!) to keep your user’s data safe while saving you time. If you’d like to learn more about safely storing user passwords, check out some of our other articles we’ve written.

To counter some of the arguments above, let’s take a look at why hashing your passwords IS still a good idea:

  • Intense Computing Resources: One of the greatest things about CPU-hardened password hashing algorithms like bcrypt and scrypt is that they explicitly require a lot of CPU, RAM, and processing time to compute! This makes brute forcing these password hashes incredibly time consuming for attackers.
  • Scale: While slow hashing algorithms DO take longer to compute – this is only the case for registering and authenticating users – this does NOT slow down normal site operations in any way. Also: users won’t notice millisecond delays in typical web operations.
  • Speed: Building an authentication service takes a lot of time. You have to maintain it, host it, and patch it. We suggest you use Stormpath instead. Our goal is for you to spend less time worrying about user security and more time… being a badass and shipping code! >:)
  • A REAL Sense Of Security: Even if attackers get a copy of a database full of bcrypt’ed password hashes, it would take them millions of years to crack these passwords (even with tons of computing power).
  • The Future: Uh… If quantum computing DOES become a thing, your password hashes definitely won’t save you – that bit is true 🙂

Finally: Breaches are expensive. This report (pdf) from Symantec in 2013 shows that in the US, the average cost of a data breach is $188 dollars — per record! That’s a lot of money!

Don’t be fooled – password hashing is incredibly important.

We hope this joke was not only enjoyable, but also educational.

From all of us here at Stormpath — Happy April Fools’ Day! Be safe out there!

PS: If you happen to be part of the Credit Karma engineering team, please reach out to me directly: [email protected], and I’ll help you sort out those plain text issues >:)