Hi, I work at Kickstater. When communicating with millions of people its important to balance technical explanations against the desire to communicate your message in common sense terms.
That said, we're being very public with how we hashed them: older Kickstarter passwords used using SHA-1 digested multiple times. More recent passwords are encrypted with bcrypt.
Yep, I appreciate your comments here. I mean my comment as a generality. And I think that any press release such as this one could put the hashing mechanism in small print at the bottom, or in a link, without confusing the average reader. We shouldn't have to turn to HN to find it.
Why do you feel that a private company that is communicating with the press and it's users has any obligation to also inform in the same way (the blog post or press release) hackers and security personnel that would like to know the answer to these questions?
Disclosing these things is nice of course but it's not core to kickstarters business in terms of people who use kickstarter (projects or consumers).
Also be aware that in business there are a ton of behind the scenes things I would like to know that would help me. [1] And if your argument is that security information disseminated is helpful to all that's fine and is correct. So that can be disclosed at the companies discretion. But they have no obligation and aren't going to lose business because security people are mad at them or people on hacker news think a certain thing should have happened.
[1] For example more details on the Comcast merger and the back and forth. But Comcast is not in the business serving it's customer base by giving me info that is helpful to me.
I disagree. They do have obligation to tell me how my privacy is being protected. Morally at least. How the passwords and other sensible data are stored should be noted somewhere in the website. This applies to any site, not only kickstarter.
Can you clarify why older passwords were not rehashed to utilize the new scheme? Or are those just passwords of people who haven't logged in since you converted your backend to use scrypt?
Couldn't you hash the old hash with the new one even if they didn't log in? I.e. hash the password with the old SHA-1 first, then bcrypt that. I'm not sure if that would work or not.
In theory you could, but then the code has to support both login procedures forever (hashing once with scrypt or hashing with SHA1 and then scrypt). That's why, if it were me, I'd likely set it up so if someone with a SHA1-hashed password logged in, it first did the SHA1 comparison, and if that succeeded the login process dropped an scrypted version into the DB.
Except that for some people, you only have a SHA1 hash, and for others, you only have an scrypt hash. Since they (I hope) weren't storing the plaintext (pre-hash) passwords alongside the hashed versions, the only time they can change the initial hashing mechanism is when passwords are provided to them during a password change or user login.
(ADJUSTED:) Yes, if when you said "hash the password" you meant the result of what they'd done originally and that was stored in their databe. They don't have a copy of the password until and unless the user logs in again. These are all "one way" or "trapdoor" functions, plaintext -> irreversible cyphertext.
Irreversible in that we think mathematically you can't go back.
Read his comment again. Hash the password to SHA-1 using the old system, then apply bcrypt to it. It's a migration pattern I've seen in practice a few times.
Thanks for your transparency, but can you be more specific about when the switch from SHA-1 to bcrypt occurred?
If it was 6 (or more) months ago, then I think you'll find at least some sympathy here - "break things" sometimes happens after "move fast," and I'm sure we've all put some code in production that, in retrospect, we wish we hadn't. However, your statement is still technically correct if the switch to bcrypt happened late this week (ie, after the breach was made known to Kickstarter), and that worries me.
This is about as reasonable as asking whether they got hacked a year ago, did nothing, and didn't tell anyone. Only now do they tell us that law enforcement informed them. Read between the lines, man. Inhales.
Thank you. I'm always confused if encrypted is PR-people speak for hashed, encrypted, or, worse, "we trust our engineers to do the right thing and encrypted sounds like we did the right thing".
One suspects that sometimes it's the PR people doing their thing, but that's a dangerous path to walk. If you just got caught with your pants down over a security flaw, following up by demonstrating both that you didn't really understand what was going on even after the flaw was discovered and that you were willing to try to cover it up is strikes two and three in one neat package.
Can you update the blog post to remove the wording "encrypted". That is simply incorrect. There is a clear and incredibly important difference between hashing and encrypting, the latter being designed to be reversible.
I'd appreciate a description of the hashing algorithm being added to the blog post, but that's less important.
If you say "encrypted", I read that as "somewhere we have a key that gives the attacker plaintext passwords, they might have that key as well".
This wouldn't be pedantic if we were discussing communications between cryptographers and other technologists, but this is a public notice, and so the point is very pedantic. For all intents and purposes, the password hash or authenticator of a password is its "encryption", in the layperson's sense.
In business the "simplicity abstraction layer" [1] on a product is essentially taking something that was created by hackers for hackers (or engineers) and making it simple for end users "the layperson".
God knows anytime you can make something easy for a layperson and not make them think there is money to be made. They aren't interested in your Liebert fire protection system and diverse path routing.
It never fails to amaze me how highly technical types simply can't think out of that box. And yet they make fun of "sales types" that can actually speak and sell to end users an inferior product.
Do you thoroughly research the scientific, business, legal, medical, philosophical, religious, etc. underpinnings of every article you read? Just because you're knowledgable in this area doesn't mean everybody should be. Using the term "encrypted" rather than "hashed" is perfectly appropriate for a general press release. This is a highly pedantic criticism.
Missing the point. Most of the customers do not know or care what the difference is, will never read any definition or explanation of it, and shouldn't have to. If you try to force your customers to understand this stuff, they'll get confused and annoyed, and go with someone else who can make it clear for them.
Is it possible to "convert" a Kickstart account from a username/password account to a Facebook OAUTH account? I currently connect my Kickstarter account with Facebook, but relied on a username/password for authentication.
Are you updating older password hashes to bcrypt on login? That's the perfect opportunity since you have the users password prior to hashing and comparing.
That said, we're being very public with how we hashed them: older Kickstarter passwords used using SHA-1 digested multiple times. More recent passwords are encrypted with bcrypt.