Did you know there was a website that checks if your online accounts have been compromised by hackers. So you enter in your email address (https://haveibeenpwned.com) and, oh no! You have been pwned! Hackers now know the passwords that you used on all of these services, but do they really know your password? Well as it turns out, that might not actually be the case and to understand why, let’s take a look at some options companies have to protect your passwords so that when even hackers get access to their systems, your information stays safe.
There are a few ways a company can store your information, they can use encryption on it, or use what’s called a hash function. Let’s go quickly over each one of these starting with the most basic one.
- Encryption – you take the information of the user, and before you store them, encrypt them with an encryption key. This would prevent hackers from obtaining the real information of users but it’s still quite risky. Underneath the encryption layer is still a password and so if the attacker manages to steal the encryption key as well, he can unlock the password. The problem with encryption is that it works in two ways.
You can encrypt a user’s information to it safe, but you can also decrypt it to reveal the password again. Encryption is very practical when you want to share data in a secure way, but not great if you want to prevent hackers from breaching your password.
- Hash Functions – How do they work? A hash function takes an input, that could be a piece of text like your password, public or private key and turns that into a string of text that always has the same length. Hash functions are very different from encryption because they only work in 1-way, you can calculate the hash of a piece of information but you cannot take a hash and turn it back into the original data. And that is an interesting property to have. By using hashes, companies can verify you’re logging in with the correct information without having to store your actual password. However, they aren’t perfect either.
Most hashing algorithms are optimized for speed, the more hashes per second they can calculate, the better. And that makes them vulnerable against brute-force attacks. By simple calculating every possible hash of the password, an attacker can reverse the hash function. A modern day GPU can do this with the speed of 292 million hashes per second (292.2 MH/s) so it’s only a matter of time before a hashed password is cracked using this technique.
And if that’s not fast enough, attackers can use Rainbow tables to further accelerate the process. These are lists of pre-computer hashes that can be used to quickly find weak and commonly used passwords. The speed of a hash function is a positive thing in certain areas. However, when it comes to storing passwords, you don’t want this property.
Then there is a second problem. If users both share the same password. If both Alice and Bob have the password “qwerty” the hashes of their passwords will be identical, so when a hacker cracks the hash of these passwords, he also knows the other.
Now you might think that’s not a big deal because it’s very unlikely that different people will use the same password. Well think again, the password “qwerty” has been found more than 3 million times in data breaches.
To make matters even worse, here’s the top 10 most used passwords in 2017:
Not the strongest of passwords. To defend from these types of attacks, we can add what’s called, “Salt” to the password before we hash it. The Salt is just some random data, “VNc8uj12” but it ensures that the hash of your password will always be unique. Even if others use the same password.
So if Bob and Alice both use the same password “qwerty” their hashes will be completely different. So if an attacker cracks Bob’s password, he can’t link that password to Alice and he has to start his cracking attempts all over again. This technique prevents hackers from cracking a bunch of passwords in one go.
It makes a brute force attack much slower, but still very much possible. To solve this, we have to take a look at another technique, which is using a special hash function that is deliberately being slowed down.
Examples of these are, bcrypt, scrypt and argon2, they completely neutralize brute force attacks. These algorithms take a password as input, along with a salt and a cost.
This last one is very interesting: the cost defines the number of rounds the algorithm goes through and this effectively slows it down. Over time our computers become faster, and so brute force attacks against these algorithms become easier. That’s because they can simply try more combinations in a shorter timespan.
All we have to do to counter this is increase the cost parameter so the algorithm remains resistant against these types of attacks. Pretty genius.
So those are the 3 options that a company has to store and protect your information, but why settle for one method when we can use multiple.
You can’t be greedy enough when it comes to security!
This multi-layer protection is used by Dropbox for instance. They take your information and start by running it through a simple hash function, without salt. This is their first line of defense. They then take the hash and run it through the bcrypt algorithm with a salt and a cost of 10. This prevents brute force attacks.
And finally the resulting hash is encrypted with the Advanced Encryption Standard or AES for short. The encryption key for this is not stored in their database but instead kept separately. So if an attacker breaches the Dropbox database, they will have to peel away each protected layer around your information and that will take ages. In fact, the cracking attempt would likely be most costly than what they get in return for compromising your information.
Conclusion: If your account has been compromised, it’s best to change your password immediately. However, depending on the security measures of the company that was compromised, it might be possible that hackers haven’t been able to retrieve your information in general. That’s thanks to the magic of hash functions and cryptography in general.