Protecting passwords from hackers

Q&A with IT security expert Mark Knight

SIW: How can techniques like password hashing be utilized to protect online data?

Knight: Hashing is the term that is used to describe the process of taking something like a password and it’s meant to be a one-way operation, taking that password and converting it through a mathematical operation into another series of bytes or data that is derived from that password. And if I were to repeatedly perform that mathematical operation on the password every time I do it – so if my password is “Fred” and I call a hash function with the data “Fred,” I will get a string of unique characters, which every time I call that hash function that string of unique characters will be the same so it’s a repeatable operation. Maybe I hash the word “Fred” and I end up with the random number 1234. Now the point of a hash is every time I hash “Fred” I would end up with the same number 1234, but it’s a one-way operation, so if I then as an attacker obtain that data 1234, there is no way for me to work backwards to the password and that’s the goal of the hash. It’s a one-way fingerprint to allow you to convert a password into a unique representation of that password that is less sensitive from a security perspective. The idea is, the user needs to remember their password, but as a service provider I don’t want to have a copy of their password. All I want to store is a copy of the hashed password… and every time the user logs on, what I do is I repeat the process of hashing the password they supplied and I then compare the hash I’ve just generated with the one I’ve stored in my database. Essentially, it gives you the situation where, as a service provider, I’m not having to worry quite so much about an attacker stealing that hash because if an attacker is able to break into that web service  and somehow break into the database and steal that hash, then really that value is of less use to an attacker.

SIW: What’s the difference between password hashing and password encryption?

Knight: The difference between hacking and encryption is hashing is a one-way operation. So, I can hash “Fred” to 1234. If I have 1234 I cannot get back to “Fred,” but all I can do is repeat the hashing operation and see if the new hash I get matches the one I previously stored.  With encryption it’s a reversible operation. So, typically you’re using it to encrypt data that you need to be able to recover and get back to the original plain text data. The difference is as simple as that. Hashing is used particularly for passwords because as a service provider you never need to decrypt or get back to the password. You can rely on the fact that the user will present that password every time they log-in to your website and all you have to do is see if that password matches. Encryption is far more useful for things like email addresses. You want to store email address, maybe you want to protect that data so that it’s harder for an attacker to steal it, but you need a reversible operation because you need to be able to get back to the email address.

SIW: Despite some of the highly-publicized data breaches that we’ve seen in recent weeks, what do you see as some of the bigger threats looking in cyberspace?

Knight: For me, one of the big threats is for every attack that’s discovered and published, how many attacks have gone unnoticed? We saw some very high profile breaches last year, such as the DigiNotar breach of a Dutch certificate authority where actually it took weeks or months for that attack to be publicized and the organization to discover what happened.

SIW: How do you combat groups such as “Anonymous” whose members, for a variety of reasons, have dedicated themselves to breaking into and exposing corporate, as well as government information?