8 Handling passwords
This chapter covers
- How passwords may be stolen
- How encrypted or hashed passwords may still be retrieved by an attacker
- Why hashing is the best approach for password handling
- How to implement password hashing with ASP.NET Core
- How to change the default password hashing behavior of ASP.NET Core
In early October of 2013, Adobe reported a security incident on their servers. The original blog posts are not available any longer (only using a web archive), but independent news sources paint a very clear picture. According to security journalist Brian Krebs (https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/), attackers were able to access source code of a few products of the company. Also, personal customer information was stolen. As The Verge reported (https://www.theverge.com/2013/11/7/5078560/over-150-million-breached-records-from-adobe-hack-surface-online), the number of affected accounts was initially estimated as around 3 million, but the actual number turned out to be probably over 150 million. To be fair: it is unclear how many of those accounts were inactive or test accounts. The numbers are still staggering, though.
Among the data extracted were, among other things, passwords. Luckily, they were not stored in plain text. However, it was still possible to access many of them, due to the way the application worked. Let’s take a look at this case study to learn what went wrong (and to make it better).