What All Management Teams Should Know About How Passwords are Stored
November 7, 2017
Understanding How Your Passwords are Secured
Cybersecurity can be a scary word for many because only recently has it been something that most of us have been forced to consider as a threat to us and our businesses. We've just assumed that our personal data was being secured by the companies we were passing it off to online. The massive breaches that have occurred lately including the infamous Equifax breach, have made us all open our eyes to the reality that cybersecurity preparedness needs to be an integral piece to our business operations. Yet many of us still don't understand the basics of how our passwords are encrypted, making it difficult to determine whether a website you are doing business with online or your own company's website is taking best practices to ensure passwords are safe. In this article, I will walk through how passwords are protected today including what you need to know to ensure your business or the websites you do business with online aren't ignoring best practices as was the case with Equifax.
How are my passwords encrypted? (aka: Hashed)
Today passwords are encrypted using what is called a hash. Hashing performs a one-way transformation on a password, turning the password into another string, called the hashed password. Let's walk through an example to illustrate further. You go to a website and enter your username and password. Your password is then sent to the website's server where a hash is performed and your password is converted into a random string of characters.
That hash is then stored on the website's server and when you come back the next time to login, it matches the password you enter with the hashed string of characters sitting on the server and lets you in.
If my password is encrypted, how do the hackers crack it?
Let's start with how hackers are able to gain access to the password database in the first place. Remember above when we said that the hashes are stored on the website's server? This is where the main problem lies. Hashes are designed to be small, usually 32-64 bytes each. Yet websites are designed for speed and usability. Thus, the website has to have a big front door (lots of bandwidth) to login users rapidly and for them to navigate the site with speed. But because of this, it makes it easy for hackers to move that small password database across the network very quickly and then out that large front door without being noticed.
Now that the hackers have the database, how is it that they crack my encrypted password (aka my hash)?
Once the hackers have the password database on their own computers where they aren’t being monitored, they have all the time in the world to crack them. To do this, they perform what is called an offline attack or dictionary attack. A dictionary attack is trying thousands or sometimes millions per second of likely possibilities of words in a dictionary such as popular names and places combined with numbers and characters. These types of attacks used to be time consuming for the hackers. However, today because computational power has evolved so much, what used to take 9 months to crack in 1982 today only takes three hours. Thus, it’s only a matter of time before they crack a password. While they may only be able to crack one password of your entire database, you will never know how many they actually cracked or which passwords were cracked and thus must notify all clients of a breach and reset all passwords.
Aren't there different hashing methods that make passwords more secure and harder to crack?
The answer is yes! There are a number of different hashing algorithms available on the market. However, other than BlindHash, they are all legacy hashing methods that don't scale with increased security. Industry best practice has been to secure passwords by performing multiple iterations of the hash. While this does increase the security, it also increases the cost and creates a latency for users logging in. Thus, your company is paying a premium price and your users are getting annoyed. The bottom line is that no matter how complex the hashing algorithm or how many iterations are performed, a stored hash can still be cracked.
So what is my best option?
With breaches in the news everyday, it’s no longer an option to stay complacent and just hope you don’t get breached. The threat and cost of having to send out that dreaded notification that your users' data has been stolen, is enough alone to make you want to follow best cyber practices.
The good news is now with BlindHash, you have an affordable and secure option to secure your passwords. Our patented technology allows you the peace of mind to know that your passwords are secure and you aren’t breaking the bank ramping up your computational resources. If you don’t believe us, take MITRE’s word for it as they recently reviewed our technology and stated our tech is “A perfectly Secure Password Scheme." The best part is, it’s extremely affordable, starting at just $50/month. I’m betting right now you are thinking what many others have, this is a no brainer.