Password Security

There is an interesting investigation into an issue with a GoDaddy hosted website. The investigation touches on a number of different things but one of them is that GoDaddy stores passwords without hashing them.

I did my undergraduate computer science degree in the early 1970s and even then we were taught that passwords should always be hashed (we called them one-way-ciphers back then). Instead of comparing the actual password to whatever was typed, the typed password was hashed and compared to the stored hashed password. In this way, even if the password file was compromised, it was impossible to recover the passwords.

As computers got faster, two changes got made most publicly in the Unix operating system. Firstly, the encryption algorithm needed to become computationally expensive, unlike most encryption where efficiency is one of the goals. Secondly, a salt was stored along with the password. These two changes made it intractable, at least for a time, to pre-compute hashed values for an entire dictionary or for all possible passwords.