Online password protection
Password: password

© Lead Image © Kian Hwi Lim, 123RF.com
Securely storing passwords online can be a complex task. With a few tools, websites can offer better security, but users still need to choose their passwords wisely.
When it comes to password security on social networking sites, such as LinkedIn or XING, users usually have to rely on the website's claims. Because these sites are closed source applications, users don't know for sure how their passwords are protected. Often, by the time they find out, it may be too late. In 2012, for example, LinkedIn lost an estimated 6.5 million encrypted passwords. There may have been more as the company did not provide exact figures, because in 2016 a hacker offered to sell 117 million LinkedIn users' customer data [1].
Of all the types of stored data, user passwords are a particularly attractive target. One reason for this is that many users reuse a password for more than one site. Once an attacker has cracked a user's password on one site, they can use it to exploit other sites as well. Another reason is that the passwords many people choose are just too simple.
While all social networks store personal data, open source solutions, such as my project vutuv [2], are usually more open with their security approaches (see the box "Open Source Infrastructure"). Read on for a behind the scenes look at how our site goes about securely storing passwords.
Open Source Infrastructure
Vutuv runs its servers on Debian Linux (stable), which automatically installs security patches overnight. For the firewall, we use Shorewall [3]. While version 1 of vutuv's web application relied on MariaDB [4] as its database, from version 2 onward vutuv uses PostgreSQL [5]. NGINX [6] is the web server component. The application itself is based on the Phoenix Framework [7], which lets you roll out new versions via hot deployment without downtime, and is written in the Elixir [8] programming language.
Password-Free Is PassÈ
In vutuv's first version, we completely dispensed with user passwords and used a Magic Link instead. When logging in, a user only had to enter their email address; they were then sent a newly created Magic Link that would enable logging in without a password.
Quite proud of our secure Magic Link solution, we awaited community praise after the platform launch. Instead, we started getting support requests: Where do I enter a password? How do I set the password? The answer that vutuv did not need a password was something that none of the users found worthy of compliment.
We learned from this experience. For end users, it's completely normal to log on to a website with some kind of account name and password and to reset forgotten passwords by email if necessary. For 99 percent of our users, logging on with a Magic Link turned out to be non-intuitive and did not meet our target audience's needs. At the beginning of 2019, we decided to develop a second version, which among other things required a legacy login password [2].
Second Try
Instead of reinventing the wheel for password functionality, we implemented the Phoenix authentication library, Phauxth [9]. Since we had special system requirements, we quickly entered into an exchange with the library inventor, David Whitlock, who now is working full time for the vutuv core team on version 2.0.
For any web application, the worst case scenario is a hijacked server. An attacker would then have full access to the database and all the configuration files on the server. In vutuv's case, the attacker would probably have grabbed the source code from our public GitHub repository [2] in advance and studied it. For that reason, we do not use an encrypted database. Not only does it impact speed, but if an attacker has complete access to your system, encryption is pointless. The Phauxth authentication library ensures that an attacker who gets on your server system will not be able to extract passwords.
Brutally Simple
The simplest attack is a dictionary attack in which attackers try out popular passwords using brute force. This type of attack doesn't even require breaking into the target system. However, the attacker does need an account name that uses a weak password.
To prevent brute force attacks of this kind, vutuv uses a login limit. After three unsuccessful attempts, a user has to wait a few minutes until the next attempt. After further unsuccessful attempts, the wait increases and the system triggers an internal alarm.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
LibreOffice 7.5 has Arrived and is Loaded with New Features and Improvements
The favorite office suite of the Linux community has a new release that includes some visual refreshing and new features across all modules.
-
The Next Major Release of Elementary OS Has Arrived
It's been over a year since the developers of elementary OS released version 6.1 (Jólnir) but they've finally made their latest release (Horus) available with a renewed focus on the user.
-
KDE Plasma 5.27 Beta Is Ready for Testing
The latest beta iteration of the KDE Plasma desktop is now available and includes some important additions and fixes.
-
Netrunner OS 23 Is Now Available
The latest version of this Linux distribution is now based on Debian Bullseye and is ready for installation and finally hits the KDE 5.20 branch of the desktop.
-
New Linux Distribution Built for Gamers
With a Gnome desktop that offers different layouts and a custom kernel, PikaOS is a great option for gamers of all types.
-
System76 Beefs Up Popular Pangolin Laptop
The darling of open-source-powered laptops and desktops will soon drop a new AMD Ryzen 7-powered version of their popular Pangolin laptop.
-
Nobara Project Is a Modified Version of Fedora with User-Friendly Fixes
If you're looking for a version of Fedora that includes third-party and proprietary packages, look no further than the Nobara Project.
-
Gnome 44 Now Has a Release Date
Gnome 44 will be officially released on March 22, 2023.
-
Nitrux 2.6 Available with Kernel 6.1 and a Major Change
The developers of Nitrux have officially released version 2.6 of their Linux distribution with plenty of new features to excite users.
-
Vanilla OS Initial Release Is Now Available
A stock GNOME experience with on-demand immutability finally sees its first production release.