Online password protection
Password: password
Securely storing passwords online can be a complex task. With a few tools, websites can offer better security, but users still need to choose their passwords wisely.
When it comes to password security on social networking sites, such as LinkedIn or XING, users usually have to rely on the website's claims. Because these sites are closed source applications, users don't know for sure how their passwords are protected. Often, by the time they find out, it may be too late. In 2012, for example, LinkedIn lost an estimated 6.5 million encrypted passwords. There may have been more as the company did not provide exact figures, because in 2016 a hacker offered to sell 117 million LinkedIn users' customer data [1].
Of all the types of stored data, user passwords are a particularly attractive target. One reason for this is that many users reuse a password for more than one site. Once an attacker has cracked a user's password on one site, they can use it to exploit other sites as well. Another reason is that the passwords many people choose are just too simple.
While all social networks store personal data, open source solutions, such as my project vutuv [2], are usually more open with their security approaches (see the box "Open Source Infrastructure"). Read on for a behind the scenes look at how our site goes about securely storing passwords.
Open Source Infrastructure
Vutuv runs its servers on Debian Linux (stable), which automatically installs security patches overnight. For the firewall, we use Shorewall [3]. While version 1 of vutuv's web application relied on MariaDB [4] as its database, from version 2 onward vutuv uses PostgreSQL [5]. NGINX [6] is the web server component. The application itself is based on the Phoenix Framework [7], which lets you roll out new versions via hot deployment without downtime, and is written in the Elixir [8] programming language.
Password-Free Is PassÈ
In vutuv's first version, we completely dispensed with user passwords and used a Magic Link instead. When logging in, a user only had to enter their email address; they were then sent a newly created Magic Link that would enable logging in without a password.
Quite proud of our secure Magic Link solution, we awaited community praise after the platform launch. Instead, we started getting support requests: Where do I enter a password? How do I set the password? The answer that vutuv did not need a password was something that none of the users found worthy of compliment.
We learned from this experience. For end users, it's completely normal to log on to a website with some kind of account name and password and to reset forgotten passwords by email if necessary. For 99 percent of our users, logging on with a Magic Link turned out to be non-intuitive and did not meet our target audience's needs. At the beginning of 2019, we decided to develop a second version, which among other things required a legacy login password [2].
Second Try
Instead of reinventing the wheel for password functionality, we implemented the Phoenix authentication library, Phauxth [9]. Since we had special system requirements, we quickly entered into an exchange with the library inventor, David Whitlock, who now is working full time for the vutuv core team on version 2.0.
For any web application, the worst case scenario is a hijacked server. An attacker would then have full access to the database and all the configuration files on the server. In vutuv's case, the attacker would probably have grabbed the source code from our public GitHub repository [2] in advance and studied it. For that reason, we do not use an encrypted database. Not only does it impact speed, but if an attacker has complete access to your system, encryption is pointless. The Phauxth authentication library ensures that an attacker who gets on your server system will not be able to extract passwords.
Brutally Simple
The simplest attack is a dictionary attack in which attackers try out popular passwords using brute force. This type of attack doesn't even require breaking into the target system. However, the attacker does need an account name that uses a weak password.
To prevent brute force attacks of this kind, vutuv uses a login limit. After three unsuccessful attempts, a user has to wait a few minutes until the next attempt. After further unsuccessful attempts, the wait increases and the system triggers an internal alarm.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Gnome 47.1 Released with a Few Fixes
The latest release of the Gnome desktop is all about fixing a few nagging issues and not about bringing new features into the mix.
-
System76 Unveils an Ampere-Powered Thelio Desktop
If you're looking for a new desktop system for developing autonomous driving and software-defined vehicle solutions. System76 has you covered.
-
VirtualBox 7.1.4 Includes Initial Support for Linux kernel 6.12
The latest version of VirtualBox has arrived and it not only adds initial support for kernel 6.12 but another feature that will make using the virtual machine tool much easier.
-
New Slimbook EVO with Raw AMD Ryzen Power
If you're looking for serious power in a 14" ultrabook that is powered by Linux, Slimbook has just the thing for you.
-
The Gnome Foundation Struggling to Stay Afloat
The foundation behind the Gnome desktop environment is having to go through some serious belt-tightening due to continued financial problems.
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.