Does your website store account passwords correctly? Would you tell everyone on the internet how you do it? Michal explains why you should and how to get an A+ grade from the Password Storage project.

Show Notes

Michal Špaček shares the story of how the Password Storage project has convinced hundreds of companies to publicly disclose their password storage practices and assigned each a grade based on how well they follow best practices.

We discuss hashing algorithms and the technology behind storing passwords securely. Learn why a company who follows the technical best practices might still not earn an A grade if they do not have a public disclosure, or if they rely on an Invisible Disclosure.

We compare the Password Storage project to other fantastic security tools like SSL Labs and Mozilla Observatory.

Michal outlines how the grading criteria will change in the short term, highlights the desire to get more companies included in the data set, and contemplates how the project will continue to grow over time.

This episode was initially published in August 2019, the 5 year anniversary of Michal’s talk at BSides Las Vegas 2014, which planted the seeds that eventually grew into the Password Storage project. Happy birthday, Password Storage!

Social media & website

Resources mentioned in episode

  • Michal launched Password Storage at BSides Las Vegas in 2016. You can see the slides from his talk here.
  • Bruce K. Marshall is a researcher and consultant dedicated to improving the application of authentication technologies, products, and good practices. He founded to better share the password information he was collecting.
    • You can find Bruce on Twitter @PwdRsch.
  • Michal wrote an article titled “Upgrading existing password hashes” that explains how to gracefully migrate passwords hashed with a legacy algorithm to a secure and modern algorithm.
  • To get your website listed in the Password Storage project, check out the FAQ.

You can find the host of The All Things Auth Podcast on Twitter @conorgil.

Canonical URL: