How hard can it be? asks Ian Harvey, Software Design Authority, at the cyber product company Thales e-Security.
As our reliance on the digital world continues to increase, securely storing passwords has become a growing concern for organisations. If passwords are stored in a plain text file or database, it opens the door to opportune administrators who can take a look at that file for their own personal or financial gain. Even if there are no vulnerabilities in the system, keeping a password in this form is a huge risk. With hacking methods becoming ever more sophisticated, businesses need to ensure that they have a line of defence mechanisms in place to ensure that passwords don’t fall into the wrong hands.
If plain text is not a viable option for storing passwords, then what is? Hashing was a method first used in the 1970s by Unix computer systems in which a hash function is used to assign a value to each password or phrase. With this technique, although it may be easy to work out the calculation itself, carrying it out ‘in reverse’ to find the original password presents a challenge.
The easiest way to explain this is with an example. Let’s say our password is FROG. The first step is to give each letter in the alphabet a numerical value, so A=1, B=2, C=3 etc. Next we multiply together the adjacent pairs of the password and then add them together to get the hash score. The word FROG would therefore have a hash score of (FxR) + (RxO) + (OxG) = (6 x 18) + (18 x 15) + (15 x 7) = 483. Instead of storing a password in plain text, the password file stores a number for each user. For example, if the value of my password was 1002, then when I typed in my password the computer would carry out the calculation above and, if the value came to 1002, I would be able to log on to the computer. If the calculation came to any other number, access would not be permitted.
The advantage of such a method is that, if hackers were to steal this file, they would have a tricky puzzle to solve before they could access any of my data.
Unfortunately outsmarting the hackers is not as easy as we may have hoped. Despite hashed passwords being much more secure than those stored as plain text files, an innovative way of decoding hashed passwords was soon developed.
Named a dictionary attack, this method seeks to find a list of all the words in the English dictionary and work out their hash value. If a password is in the dictionary then eventually its value will be found. Although this may take time, it is worth the effort as every password can be decoded.
In an attack of this kind an index is created of individual words sorted by their hash value. The individual words are added to the index as their hash value is calculated – so the word CAT would appear on page 23 and BEAD on page 19, and so on. In order to find the password, one would simply need to turn to the correct page – reversing the hash function.
A simple illustration would be to consider the code breakers working to decode German naval communications at Bletchley Park during World War II. Aware that ‘eins’ was the most common word in decrypted messages, they encrypted it with every possible Enigma setting to create the ‘eins catalogue’. If the codebreakers could work out which encrypted letters represented the plaintext ‘eins’, they were then able to simply extract the key.
Luckily, there are ways to stop the launch of a dictionary attack and prevent the theft of someone’s password. A clever method called a salted hash scheme can be employed to ensure that a user’s password is protected against such an attack.
With this scheme, every user’s password has a random variation applied to it. For example the value of one user’s password could be calculated from B=7, E=8 and T=11. Another user would have the values B=20, E=14, T=3. Using this method, the same password would have a different hash value for each person. Although the computer would still carry out a calculation to check the value of the password, it would not be possible to compile a dictionary of every password – so hackers would be unsuccessful in reversing the hash.
The final line of defence is called an iterated hash. Commonly used in modern systems, this method re-hashes the data thousands of time so the hash function is difficult to calculate. Understandably this method will make any computer slower – but hackers trying to search for a password will also be hindered by the iterated hash.
With confidential files and customer data increasingly becoming the currency of the digital world, it is more critical than ever before that organisations are taking the required steps to keep passwords safe and secure. Businesses who fail to make password security a top priority will become easy prey for unforgiving criminals.
