As I posted yesterday, eBay has been hacked and has lost a lot of data containing usernames and passwords and that got me thinking about how they're storing the passwords.
In their post about what had happened they said "Because your password is encrypted (even we don't know what it is) we believe your eBay account is secure" and that puzzled me because encryption is a two way thing - if something is encrypted it can be decrypted (providing the relevant encryption keys and/or passphrase is available).
Now what they might have meant is "Because your password is salted and hashed" and that would explain why they don't know what it is but as a description to the general public - it probably means nothing.
So I thought it would be a good idea to explain what that means as it would help anyone who has a website that stores passwords understand what they should be doing.
Let's deal with hashing first. A hash is a "one way function" which means we can put a word through the hash and it will turn into something else but there is no way to reverse the hash and get the word back. Equally, a hash function will always output a fixed length string so it wouldn't matter how long your password is.
There are a few common hash functions by far the most common is MD5 so taking the dictionary word "password" and running it through an MD5 function will return 5f4dcc3b5aa765d61d8327deb882cf99 but changing the letter "p" to a capital so that we use "Password" gives us a totally different hash of dc647eb65e6711e155375218212b3964.
The problem here is that if I Google for either of those hashes I will immediately find a website that has a list of millions of MD5 hashes and they know which words caused that hash to be generated so as a security mechanism that's no good as a way to protect passwords.
This is where salts come in. A cryptographic salt is where we add some random data to the password we want to hash. Each password should have a different salt and that means that the resulting hash will be different. So, if we added the users first name to the password it might be that we then have "Simonpassword" and "Clarepassword" which would result in completely different hashes even if the two users had the same password.
By combining these two simple techniques it is possible to make passwords a lot safer even in the event that the database is compromised. I'd like to say at this point that we don't use the user's first name as a salt and we go quite a lot further in terms of protecting the passwords but this is the minimum that anyone should be doing.
So if you're talking to a web developer about your website that stores passwords you should ask them if it uses salted and hashed passwords. If they say "no, it stores the passwords in plain text" you should beat them to death with a house brick!
Plenty of things inspire, interest or annoy me - I thought I'd write about some of them!
No comments:
Post a Comment