Chatter is up about password security due to the recent LinkedIn, Lastfm.com, and eHarmony password breaches. In these incidents, they failed to salt their password hashes or use an effective password-hashing algorithm.
Don’t pass on the salt…
To salt means to add a random set of characters to a password and then hashing it. It is an essential component of securing online PII data. To some, it may seem like an extra step or an extra hoop to jump through—but sufficient security is always worth the investment. In a recent New York Times article, it was reported that: …the cost of setting up proper password, Web server and application security for a company like LinkedIn would be a one-time cost of “a couple hundred thousand dollars.” The average breach costs a company $5.5 million, or $194 for each record breached, according to a Symantec-sponsored study.
Foreign voodoo magic?
Here’s what it comes down to: Developers are good at developing applications, but most are not trained in security. When the conversation of cryptography comes up among developers, it is often treated like some foreign voodoo magic. When an application is complete, developers report to management that the new application is secure because they used MD5 or SHA-1 to hash the passwords. Unfortunately, management generally isn’t trained in or up to date with security best practices, and problems aren’t discovered until a review by a security expert reveals a security flaw or when the passwords are leaked and cracked in a breach. Hashed values for user rights compound the problem.
The problem is greater than just passwords. Some web applications use hashed values as a way of validating sessions and user rights; this is a bad practice, even when salt is used—and especially when the salt is static.
Example: A user logs into a website, the web application grants access based on a valid password, then it assigns the rights and permission via a cookie.
Cookie = MD5 (User Name + Application Rights + Static Secret Salt)
The breakdown, two examples could be:
- The MD5 ( ) function is used to generate a one way hash based on adding three variables together.
- Cookie is the variable where the generated value will be stored. 3542d2241d620aa7780db99fffe09eca = MD5 (Jim + Administrator + 8f94jfs) 5c0bbc22ab0a273057b7d2f8bff830c9 = MD5 (Angie + User + 8f94jfs)
If an attacker is able to find out the non-random secret salt, they can then create an admin account or a malicious insider can change their rights to admin.
If you aren’t certain about how your company protects your passwords or manages user rights, this is the time to get in front of your CIO or CISO for a discussion about password security practices.
B-Side Track