Following a three-month delay due to coronavirus – and more than seven years after its enactment – the Protection of Personal Information (POPI) Act has finally come into force.Continue reading
A sobering bucket of cold water recently got dumped on our faith in passwords. You see, some unsuspecting celebrities recently had their cloud storage accounts hacked. Unsecure passwords were part of the reason for such a scandalous breach in security.
Authentication methods with technology like biometric scanners and smartcards are on the rise but user credentials like usernames and passwords still remain the easiest and most cost-efficient. The username is usually known and not particularly discreet while the password is secret. This level of secrecy is what makes a password secure or not. To improve IT planning, we look at some tips for better password use.
When storing a password in a database alongside the username, the password should not be directly readable in plain text. Authentication works by comparing the password supplied to the password already stored. If they match, access is granted. The Information Commissioner’s Office (ICO) suggests there are various ways of storing passwords in an illegible form with varying degrees of effectiveness i.e. encrypting, hashing and salting:
It seems traditional password conventions have reached their shelf life – partly due to computer power having escalated significantly and also misconceptions about passwords themselves. An exhaustive cycle of tests recently performed by Ars Technica, illustrated that with nominal computing power, hashed passwords containing less than six characters are cracked within a day – if not within minutes.
The problem isn’t that hashing doesn’t work, it’s the quality of the algorithm and also the quality of the password itself. The older MD5 and SHA1 algorithms, still widely used, were designed to hash passwords quickly with minimal computing power. Because they don’t use salting it makes it that much easier for an attacker to crack passwords hashed in this way. MD5 is no longer endorsed by the ICO and the National Institute of Standards and Technology (NIST) also no longer endorses SHA1 as a suitable password hashing function.
Simply put, the process of cracking hashed passwords using a dictionary attack involves using any combination of ninety-five characters (twenty-six lowercase letter, twenty-six uppercase letters, ten numbers and thirty-three symbols), hashing them, and then comparing the result to a dictionary of other hashed words. This differs from a standard brute-force attack where permutations of a possible password are systematically checked until the right one is found.
If a fast hashing method like MD5 is used, for example, a dictionary of one billion words can be searched through eight times per second, as reported by Wired.co.uk. If a match is found in the dictionary, the crack is successful. An attacker could crack a password of up to six digits in two minutes and thirty-two seconds (tested on a PC with a single Radeon 6970 GPU). This method is much faster than using a brute-force attack against longer passwords.
In 2012, a large scale breach was reported by LinkedIn where 6.5 million unsalted passwords were leaked. Although the passwords were hashed, real user data was revealed in the process. It resulted in the company having to reset the passwords and notify every affected user about the breach and for their passwords to be changed. Because of this gap in their IT planning regarding passwords, LinkedIn have since implemented additional security measures.
They say that a password is meant to fall into the hands of an attacker – that’s why it should be a secure one. Unfortunately no password is 100% secure but here are some tips that should help your IT planning with passwords:
If your organisation makes use of an IT infrastructure, one can assume there are some passwords zipping around the information highways. A password isn’t just a password – it’s the last line of defence against unauthorised access to top-secret, highly confidential, super private consumer data, budgets and even photographs. Sufficient IT planning will require complexity requirements and appropriate hashing techniques to be implemented.