Add a little salt to that password

Posted by on Jun 11, 2012 in For the Techies | 0 comments

Share on LinkedInShare on Google+Tweet about this on TwitterEmail this to someoneShare on Facebook

Yet again, more password hacking news! The latest victims are LinkedIneHarmony and last.fm, and so it is time to review the good and bad ways of storing credentials.

Storing passwords for authentication-based services, such as Egnyte has always been a challenging but interesting problem. People tend to use the same password across multiple sites, and black hat hackers – very smart, but ill-intentioned people – are always out to steal and sell this information for financial gains. A cracked password can open up access to multiple services, which increases the potential damage caused by their loss. So we make it one of our primary objectives to make sure that we store and transfer user credentials in the most secure manner possible.

Storing Plain Text passwords is inherently dangerous because there is zero-effort involved in processing them. And even then, we are surprised to find how common it is to overlook this flaw, just as in the case of Sony. There is no excuse for this practice, period!

One-way hashing functions like SHA-1 or SHA-2, are simple and effective ways to hide data, however naive implementations can be open to cracking schemes such as Rainbow table attacks. Rainbow tables are huge collections of pre-computed hashes for every combination of characters that black hat hackers have computed and published on internet. These are shared via downloads of huge pre-computed tables used to perform reverse lookups to get plain-text passwords (clearly hackers have learned to share and share alike).

And so, we do better – like with most good recipes, we add some salt. Salt is a random sequence of bytes that is fed to the hashing algorithm, and by using Salts with hashing algortihms, we can produce a different hash for the same plain-text password  (Smart Guys did that 40 years ago, virtually the dark ages in the computer world). Introduction of a salt can dramatically increase the search space for rainbow attacks, forcing an attacker to spend roughly N attempts to break N number of passwords. While salts make it difficult and time consuming to crack a hashed password, given enough computing power and time, dictionary attacks are still possible.

Which brings us to Bcrypt. Bcrypt is a hashing algorithm (actually a cryptographic hash function) which generates a salt based on the password being hashed and uses that to create the cipher, which can be stored without the salt. It’s biggest strength comes from the fact that its an adaptive hashing algorithm. Over a period of time, you can pick different values of work-factor to make it slower and keep it relevant against dictionary attacks while keeping up with Moore’s Law (i.e. increasing computing power). All of these qualities – unique high entropy salt, and adaptive hashing, have made Bcrypt our favorite password hashing algorithm at Egnyte.  We’re constantly working on new and innovative ways to make sure you data is safe with us.

Share on LinkedInShare on Google+Tweet about this on TwitterEmail this to someoneShare on Facebook

Post a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>