IT Security: Recent Breaches Raise Questions About Hashed Passwords
Businesses that maintain any sort of online accounts for their customers or other interested parties must eventually confront the issue of password encryption. In recent months, major breaches at several high-profile online sites have caused many to wonder over the effectiveness of using hashed passwords. LinkedIn was perhaps the most well-known site to have its password hashing compromised, but other major online businesses such as eHarmony and Last.fm have experienced similar problems.
All the companies have seen hackers gain unauthorized access to a portion of the hashed passwords in use on their sites. The hackers have then posted the hashed passwords on forums that specialize in promulgating ‘underground’ material. The problem of password security, however, is not limited to large companies. Any small business that allows users to sign in, to keep the contents of a shopping cart active, for example, has good reason to take a close look at how hashed passwords work and how such systems can potentially be improved.
What is Password Hashing?
A hashed password is one that has been converted into an alternate string of characters. This alternate string is of a fixed length, typically far longer than the original password that was entered. In order to generate a hashed password, the original text input by the user is run through a complex algorithm, or set of instructions. In essence, the algorithm is converting the original password into a coded version of itself.
IT companies supply authentication software like password hashing as a security method because it is highly unlikely that any other text string will produce the same ‘hashed version’. Storing the hashed version also means that the user's actual password is not located on site; this creates a more secure situation. In order to authenticate users, any new password input is run through the hash algorithm and compared to the stored hashed password. Only a perfect match will make the system regard the password as correct.
When hashed passwords are released on underground hacker forums, it can give the hacking community a way to attempt reverse engineering on these cryptographic results. The end game, of course, is for hackers to work backwards to determine actual user passwords.
Businesses that use password hashing or any other type of encryption to secure user passwords must also take steps to keep the encrypted versions secure from hackers. One of the best ways to do this is to work closely with an IT consulting firm with experience in online security. To begin this process, simply request a consultation.