Improving Password Security

Posted by Alec Muffett on

Passwords are a pivotal tool in customer account security, however they are frequently at risk from “reuse” - people choose one or two passwords and then use them everywhere, which brings a host of security problems…

We want our customers to be safe online, and we — specifically the Deliveroo Infrastructure Security team — want to better protect our customers’ accounts. Technically, we’re starting from a good place: our passwords are hashed using the bcrypt algorithm, a robust and industry-standard password hash. The Rails default for bcrypt is to run at strength 10, meaning 210 = 1024 rounds of hashing, a reasonable work factor for a modern password hash.

However, not everything in the world is under our control.

Sometimes customers reuse their passwords at other sites, and sometimes those sites do not store their passwords under a robust password hashing algorithm. Worse, sometimes those sites get “popped” — bad people hack into them and exfiltrate password data, often sharing their findings with the world through pastebin sites and bulletin-boards.

These actions put at risk any site where the owner has reused the same login name and password.

There are excellent free tools which our customers may use to help discover if they are at risk — for instance Troy Hunt’s Have I Been Pwned? website; and we recommend use of such tools as an aid to password security.

But we want to be more proactive.

Therefore, from today, we will be informing our customers when we determine that the password which they use for Deliveroo is publicly known in some way. We will contact the impacted customers to request that they change their password, and advise that they also change that password at other sites where it is also used.

Security suffers from an element of collective responsibility; it’s not fair that a security failure at one site should compromise the credentials of another site, but it happens. Until we can mitigate the problem of credential reuse more thoroughly, this is one step which we at Deliveroo can take to help make everyone a little more secure.

(press queries to press@deliveroo.co.uk, please)

About Alec Muffett

A picture of Alec Muffett

Alec has almost 30 years of working in cryptography, host & network security. Amazingly he is not yet sick of it.