Showing posts from May, 2011

The saga of plain text password

Recently, one of the major Indian payment gateways, CCAvenue was reported to have been hacked. Medianama has good coverage of it including an interview with the very bureaucratic sounding CEO of the company . While a payment gateway getting hacked is a big news, the bigger revelation were the clear text passwords that came out of the compromised database. There have been a lot of comments and discussions about this all over the startup blogs. Reading through those comments it appeared to me that there is a lot of confusion regarding passwords and how to securely store and transmit them. Saurabh Nanda has a good little primer about things to read. This is my attempt to clarify some of the things involved. First a few basics. Any situation that involves passwords has 2 parties. The aim is to establish identity between parties. For simplicity, we will assume that it is the user that wants to establish his identity with the service. Login/Password system works on the basis of a sh