Last week was a terrible week for password breaches. First LinkedIn revealed that about 6.5 million password hashes were posted online. Hot on the heels came the news that online dating website eHarmony and streaming music site Last.fm have suffered similar breaches.
Are these breaches a surprise? Not really. Websites entice customers by offering compelling features and services, and customers are rarely willing or able to compare the security properties of competing services. Even if a website uses SSL to protect a password in transit, the password will typically be exposed on Web servers and data center networks every time it’s supplied by the user before it is hashed for comparison.
Attackers often merely need to compromise an edge-of-network Web server with some malware to steal every password as it is provided or to steal password hashes. Attackers may target what they perceive to be lower security social media services in the knowledge the same password may grant access to higher value services such as retail or banking. Banks have known this for a long time; this is why they prompt for random characters rather than the whole password and rely on a wide range of security questions or one time pad (OTP) tokens.
It gets worse. “Hashing” a password means obscuring the original plaintext into a format that cannot be easily read. It’s intended to be a one way process which is very useful for storing passwords. Instead of storing a user’s actual password, you can simply store the hash and use this to check whether someone has logged on with the correct details. Some websites originally used the legacy MD5 hashing algorithm to protect passwords. However advances in cryptanalysis and computing power often make it necessary to move to newer, stronger algorithms. Many have considered MD5 to be compromised for around a decade but not all websites have upgraded to SHA-1 yet.
Even using a stronger algorithm alone is not enough. ‘Salting’ is the process of adding an additional layer of security by hashing the password with some additional random data to ensure the hash is unique and harder to crack. Unfortunately some of the breached services (and doubtless many others), haven’t employed this technique.
Websites may attempt to upgrade the security of weakly hashed passwords by storing a freshly hashed password when each user logs in. While this is good practice, special care is still required to ensure that any copies of the weakly hashed password are securely erased.
Techniques to improve security can include:
As we move toward smartphones and tablets where Apps can store credentials on behalf of users, we find that we all use our passwords less: perhaps only to authorize higher values transactions or to enroll new devices.
But in a community where the relationship between customers and service providers is increasingly spontaneous, passwords will remain a convenient catch-all credential until identity federation becomes ubiquitous. It’s time for all of us to think much more carefully about how we protect both our own passwords and those of others we serve.
Want to learn more about the latest in communications and technology? Then be sure to attend ITEXPO West 2012, taking place Oct. 2-5, in Austin, TX. ITEXPO (News - Alert) offers an educational program to help corporate decision makers select the right IP-based voice, video, fax and unified communications solutions to improve their operations. It's also where service providers learn how to profitably roll out the services their subscribers are clamoring for – and where resellers can learn about new growth opportunities. For more information on registering for ITEXPO click here.
Stay in touch with everything happening at ITEXPO. Follow us on Twitter.