Have you ever tried to recover the password to a web-based service and all you received via email was a temporary password or a link with instructions to reset the password? If that happened, then this is a good sign, because it means that the service doesn’t store your password in a vulnerable database and uses what is called ‘password hashing’ instead.
What Is Password Hashing?
When you sign up for any new internet-based service you are giving information to the service provider by filling out the sign-up form. This information is stored in a database, and contains usernames, passwords, and other important information so that the next time you log in everything is the same as where you left off.
This database poses security threat, however, since it stores some sort of information necessary to verify the legitimacy of the user logging in. If it stores the actual password, then if a hacker gains access to the database they would be able to steal the passwords associated with usernames and sell them on the dark web. You don’t have to look too far back in time to find information on leaks of millions of users.
This is where hashing comes into the picture. Hashing is a one-way algorithm that takes any amount of data and turns it into fixed-length data. In cryptography, this means the password that you create isn’t stored in plain text and therefore readable by hackers that access the database; instead it’s a string of information that just looks like gibberish. This nonsense string of data is the result of an algorithm that will always generate the same result if the same data is introduced. The catch is that the hackers cannot reverse engineer the password if they get hold of the hash, except when a weak hashing algorithm is used – which we will touch on shortly.
So what does hashing look like? For example, if your password is “bestreviews1” a hashing algorithm will generate a string like this: “2ab96390c5dbe1437de54d0c6b1b1669”. This is the information that is stored in the database.
When you try to log in again and type in the correct password, the hashing algorithm comes into action and generates the same string, at which point the server compares the two values to find a match and therefore allowing you to successfully log in. If you mistyped the password and used, for example, “bestreviews2” then you’ll get a different result, “726ad07bc398392b46a52e3de8993687”, which is a completely different string despite the closeness of the two passwords. Since the server won’t find a match when it compares the two results, it won’t let you into the account.
Different Types of Hashing Algorithms
Hashing isn’t a new concept, it has been around for a while with some algorithms having withstood the test of time and some carrying nasty vulnerabilities. The best-known hashing algorithms are:
- MD-5: Designed by Ronald Rivest and released in 1992, MD-5 is widely used but it isn’t a secure algorithm as it is prone to collisions and length extension attacks.
- SHA-1: This is also prone to length extension attacks and hasn’t been approved for most cryptographic uses since 2010.
- SHA-2: A family of two novel hash functions known as SHA-256 and SHA-512. The SHA-2 family is prone to length extension attacks.
- SHA-3: The latest member of the SHA family is SHA-3, released by NIST in 2015. SHA-3 is internally different from the MD-5-like structure of SHA-1 and SHA-2.
How to Know How Severe a Data Leak Was
Every data leak is bad because it exposes user information, however a data leak’s severity depends on the cryptographic hash algorithm (if any) that is used to secure user data. Given the weaknesses of legacy hashing algorithms, service providers looking to secure their user’s data need to upgrade to a more secure algorithm such as PBKDF2, bcrypt, or scrypt.
To secure the gateway to the vault where all your sensitive data is stored, password managers such as 1Password use PBKDF2-HMACSHA-256 with 100,000 iterations. This will result in 32 bytes of data, which will be combined with the result of processing your Secret Key.
So what’s the takeaway of all this? Simply put: if password hashing such as PBKDF2, SHA-3, or bcrypt was used and the hackers did steal your data, there is still have time to change the password before it is successfully cracked using various techniques. That, of course, is if you act fast. If hashing was not used then, simply put, you are screwed: start changing your passwords everywhere.
Best Password Managers of 2018