Security doesn't mean Secrecy

You should know how secure your account and your password is

A Re-read.ca, we take the security of your password at heart.

There are multiple ways to store a password:


In plain text : horrible

The easiest way is just to store your password in plain text, as you typed it.

Pros

We could email you your password.

Cons

If the database is hacked, people will not only know your email, but also your password. If you reuse your password, you might get hacked elsewhere!


Encrypted : minimal security

The password is encrypted using a reversible encryption.

Pros

We could email you your password, and if only the database is hacked, your password remains secret.

Cons

If the database AND the encryption script is hacked, people will not only know your email, but also your password. If you reuse your password, you might get hacked elsewhere!


Hashed : relative security

The password is encrypted using a non-reversible encryption, like MD5, SHA1 or SHA256

Pros

The encryption is not, in theory, reversible and as such, if the database is hacked, your password should, still in theory, be safe.

Cons

Sadly, it is possible to quickly calculate millions of values to try to find one which corresponds to your hash, and with faster and faster computers, it is easy to crack some hashes in minutes.


Hashed and Salted : better security

The password is encrypted using a non-reversible encryption, like MD5, SHA1 or SHA256, but additional characters are added to your password before the hashing making it harder to guess just your password part.

Pros

The encryption is even less, in theory, reversible and as such, if the database is hacked, your password should, still in theory, be safe.

Cons

Sadly, it is still possible to quickly calculate millions of values to try to find one which corresponds to your hash and salt. It's a little harder to just get your password, but if the salt is known, it's much easier.


PBKDF2 with SHA-256 and over 20,000 iterations: Serious Security

This method, which you can read online here, relies on using a strong hash (HMAC SHA256) over 20,000 times always using the original password as the string to hash, and the previous result as the salt for the next rounds. It's a little more complex than that, but the idea is that the high number of iterations mean that it takes longer to try to do a reverse search on your password.

At Re-read.ca, instead of passing your password directly to PBKDF2, we take the hash of:

. We then pass that result to PBKDF2 with more than 20,000 iterations, with an initial random salt calculated with:

Your initial random SALT, the number of iterations and the resulting Hash are stored in the database, but without the 2 strings and a lot of processing power, it is almost impossible to reverse lookup your password.

To make matters worse, we add a delay to processing so that if a brute force attempt is done, it will be seriously delayed.

Pros

Not only is the encryption is more secure, but we can easily increase the count of iterations so that your password is recaltulated to a higher security level the next time your login.

Cons

It is slower to login and to change your password. But a few seconds for added security is, we believe, worth it.