A significant amount of attention has been focused recently on the Adobe data breach incident involving millions of passwords, user names, and in some cases, customer credit card records.
The terms “encrypted”, “salted” and “hashed” have been bandied about by the media when explaining what Adobe did or didn’t do in regard to password storage and protection. To truly understand and determine the potential risk for harm, one needs to understand these terms.
According to TechTerms.com, encryption is the coding or scrambling of information so that it can only be decoded and read by someone who has the correct decoding key. Encryption is often used on secure Web sites as well as other mediums of data transfer. Think cryptograms for example: Take my name Karen and swap the letters out based on a backward alphabet. Karen then becomes “pzivm”. In the world of global hacking attacks, simple encryption is no longer accepted as an industry best practice for storing passwords. This was clearly made evident in this Adobe breach…
Today, more stringent efforts need to be implemented to protect stored user names and passwords. That is where “salting” and “hashing” come into play. According to one expert (Joe Siegrist, LastPass), salting means adding a secret code to every password after it is scrambled (encrypted) and before it is stored in the database. Utilizing this process, multiple salted versions of the same password never look the same. Unfortunately, an analysis of the encrypted passwords exposed in the Adobe breach revealed quite clearly the top 50 passwords used by Adobe users.
The next step in the process is “hashing”. According to one source, password hashing is one of the most basic security considerations that must be made when designing any application that accepts passwords from users. Without hashing, any passwords that are stored in an application’s database can be stolen if the database is compromised.
In many cases, the best practice for storing passwords and users name is to take the encrypted password, add salted random data, and then apply additional algorithms to further mask the user names and passwords. The end result from this process yields a much more secure password.
It should be noted here, however, that some entities “hash” before they “salt”. Unfortunately, this practice yields the same end result for anyone with the same password (i.e. 12345678 or password). This is frequently made clear to us when analysts are able to “decipher” passwords which have gone through this hashing before salting process. As such, only by salting this data first would you then arrive at a unique “password” for each individual.
Adam Levin, Chairman and Co-Founder of Credit.com and Identity Theft 911, recommends to victims of this breach to, “be really careful with what files you open right now, with what links you click and even with what emails you read….Also, change your passwords –right now. Don’t use the same password for different accounts, especially for your financial and email accounts.”