Hashed and Salted but Still Not Safe: Protected Password Storage

Posted by on May 24, 2013

In April 2013, the popular website LivingSocial was attacked, revealing sensitive consumer information held on the company’s servers. In an email sent by the company to users, LivingSocial acknowledged, “The information accessed includes names, email addresses, date of birth for some users, and encrypted passwords – technically ‘hashed’ and ‘salted’ password.” To further calm customer fears, they added, “We never store passwords in plain text.” While, reassuring on the surface, relying on salted and hashed passwords really doesn’t provide the protections that many companies claim.

Hashing and salting is a basic security standard

Image Courtesy of ReadWrite.com

50 million LivingSocial passwords were stolen, due to inadequate security measures. The company hashed passwords with “SHA1 using a random 40 byte salt”.  This means that LivingSocial’s system encrypted customer passwords through a popular algorithm, transforming plaintext passwords into unique strings of data called a “hash”. Then, to further jumble the encrypted password, the system adds a random mess of characters called a “salt”, which makes the password longer and more complex. The problem with this common method of password “protection” is that the SHA1 is too popular and weak, especially for a company with as large of a consumer database as LivingSocial.

Password hashing

Image courtesy of Filosophy.com

This watered down security measure is simple to exploit. One way hackers could have taken advantage of the breach in LivingSocial’s system is by bruteforcing the password hashed in the company’s database. This involves cycling through characters in each letterset using a hashing algorithm like MD5, until the attackers crack a user’s encrypted password.

To make this process faster, like in the case of the 50 million hacked passwords, attackers use rainbow tables to analyze the data. Rainbow tables contain all possible passwords, so shorter and less complex passwords are the first and easiest ones to crack. While salting and hashing have become the standard method of password encryption, all this really does is make the password longer and more complex. This means that hackers can still crack user passwords, especially when weak algorithms like SHA1 are relied on. The complexity of encrypted passwords just makes the cracking process longer.

Brute forcing

Image courtesy of Filosophy.com

This recent security breach is just one example of a chronic failure in the market to address privacy concerns and adequately protect sensitive user data. Just last year, user credentials from companies like eHarmony, Yahoo, and Formspring were hacked due to gaping security vulnerabilities. Through such examples it is obvious that merely going with the standard route of encrypting passwords by hashing and salting just doesn’t cut it. Recently, the note taking service Evernote was also breached, revealing sensitive data on 50 million users. With just the instances of LivingSocial and Evernote, over 100 millions users have had their personal information seized and exploited in the past year. And a cursory glance at the daily news reveals just how widespread issues of cyber security have become.

50 million Evernote passwords were hacked

Image courtesy of PCGerms.

Consumers that have since taken their online privacy for granted have woken up to the fact that they can’t rely on anyone but themselves to proactively keep their data safe. As a result, a drastic shift in the market is in store as users continue to reward companies that take extra precautionary measures to protect their information. As just about every sector of industry makes the switch to cloud storage and sharing for the sake of cost and convenience, protecting your privacy from attack and exploitation has become more important than ever.

Some simple steps to better encrypt your password can help complicate the cracking process in the event of a breach. One way to help bolster the standard encryption process of hashing and salting is by making a complicated password longer than twelve characters using as many random symbols as possible. When hashed and salted, this extra-complicated password will take much longer to crack, hopefully frustrating potential attackers to the point of moving on to a less difficult encryption.

But even complicated encrypted passwords won’t do much to keep you truly safe. Think of it like putting a simple lock on your car, it’s a stand precautionary measure, but it won’t do much to thwart a truly skilled thief. And in this day and age, just about any hacker with enough time and initiative can take advantage of the security gaps left by only using hashed and salted password encryption. And once a user’s encrypted password hash is cracked, attackers can try to break into other accounts held on other websites, exploiting the common fact that many users still use the same password for multiple sites and services.

True Privacy

Most popular “secure” cloud services are still vulnerable to third party attacks. To truly experience privacy for your individual or business needs, an anonymous cloud storage and sharing service like SpiderOak provides all the benefits of the cloud while protecting against hacking and security breaches.

Users can store and sync sensitive files with 100% privacy, as SpiderOak has “zero-knowledge” of consumer data given the company cannot access the plaintext encryption keys. This means that you and only you have access to your password as SpiderOak employees can never see your plaintext encryption keys (or password). Instead, this data encryption key (or password) is exclusively stored on each user’s computer. This way, every bit of consumer information, right down to the password, is kept private and anonymous.

3 Responses to “Hashed and Salted but Still Not Safe: Protected Password Storage”

  1. Alexi says:

    If hashed and salted passwords are insufficient to protect data, what does SpiderOak use to encrypt our encryption keys?

  2. Daniel B. says:

    Hi Alexi, thanks for the comment! SpiderOak offers two-factor password authentication and 256-bit AES encryption so that user files and passwords stay private. The service has “zero-knowledge” of user data and plaintext encryption keys are only stored on the user’s chosen devices.

  3. […] sites like Living Social and Evernote being hacked and having data stolen many people are hesitant to trust putting information into the cloud, and […]

Leave a Reply