How Secure Is My Password?

How does Facebook (product) / Google (company) / Microsoft (company) and other major internet company secure their users password in case of security breach?

Credit: http://xkcd.com/1286/ Related: https://www.schneier.com/blog/archives/2013/11/cryptographic_b.html http://arstechnica.com/security/2013/11/how-adobes-messy-password-breach-can-spill-to-sites-like-diapers-com/ http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-password-disaster-adobes-giant-sized-cryptographic-blunder/ http://www.theguardian.com/technology/2013/nov/07/adobe-password-leak-can-check http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/ http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/
Answer:

There are basically two things to learn from recent incidents, I do not know how Google or Facebook actually store their passwords, but we know what not to do. The first big thing is, do not store passwords in a way that two people using the same password get the same stored token (examples of this are md5 and any ecb modes), you can verify this even if you do not know which encryption is used if you look at different users that have the same pw in the database. Also you can try to google a few encrypted/hashed passwords, if you find anything, it is obviously not good. The second big this is, if you have implemented a password scheme, review the security requirements maybe every 6 month and decide to migration the complete user-db to a new scheme even if this costs you quite a bit in development. Old password schemes are get worse and worse due to different approaches at hacking them and also simply due to increasing cpu power. Two examples, first of all Adobe had passwords that make it possible to identify different users with the same password, so at the very least you are able to find other users in the leaked database that used the same password as you, which is bad enough. Amazon had a security incident (at least in Germany, I have no idea if this was present in other countries as well) where passwords for users that didn't change their password in the last few years had only 8 significant chars, which suggests that the passwords were stored in unix crypt and were never migrated even though new passwords were stored with a better algorithm. In general, do not invent your own scheme, have some experts review the implemented scheme and revise the concept once in a while.

Alexander Lehmann at Quora Visit the source

Was this solution helpful to you?

Related Q & A:

How To Get Product Code For Sygic?Best solution by help.sygic.com
How To Get Product Code Sygic Android?Best solution by help.sygic.com
How to start an Internet Company in India?Best solution by business.mapsofindia.com
List of company's that provide Internet, cell/home phone and cable TV?Best solution by Yahoo! Answers
What company offers the fastest and cheapest internet service?Best solution by ChaCha

Just Added Q & A:

How many active mobile subscribers are there in China?Best solution by Quora
How to find the right vacation?Best solution by bookit.com
How To Make Your Own Primer?Best solution by thekrazycouponlady.com
How do you get the domain & range?Best solution by ChaCha
How do you open pop up blockers?Best solution by Yahoo! Answers

For every problem there is a solution! Proved by Solucija.

Got an issue and looking for advice?
Ask Solucija to search every corner of the Web for help.
Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.