Learn about account and password security methods.
Episode #12-07 released on October 8, 2021
Typically speaking, your password, when encrypted, should be safe. However, password security is far more complicated than just encrypting the password and calling it a day. There are many ways to store a password in a database and ultimately, the method chosen will determine how safe an account truly is.
Some companies used to store passwords in plaintext, along with all other personal information about each of the user accounts on their website. At one point, company after company was being exposed through hack after hack for this kind of practice, and eventually they started to secure passwords by other means.
Hashing, a one-way encryption type, is a means by which you can secure a password, but if you use a hashing algorithm like md5, the exercise of hashing is pointless, as it is so trivial to reverse engineer the password database. In fact, it takes nearly no time whatsoever to create a rainbow table to compare passwords. Which leads us to the importance of salting the hash. Salting the hash means adding extra data to obfuscate the result. It may very well look like gibberish to anyone looking at it after. However, simple salting is not enough, we need to iterate the hash with the salt. Hash iteration is when we hash the result over and over again until the process takes so long to reverse engineer that the result is safer than a plaintext password. If we use a hash like SHA-512, salt it with data to obfuscate the password and iterate it, the password is nearly impossible to decode, unless the number of iterations, the salt and hash type are known.
To protect passwords you can, also, encrypt them. The issue is that encryption can be reversed with the key and that makes the key the single most dangerous point of failure in the entire security method. There are a few things we can do to protect the data encrypted with encryption. The first method is to use a unique key for each user or different sets of data. You can, also, do both at the same time.
But, to protect a password and user information, we can go further than this. Understanding that user information needs to be encrypted in a reversible means but not passwords and secret answers. We can encrypt user data with unique keys and use hashing, salts, iteration and encryption passwords and secret answers. Done right, the security of each user account is maintained independently of others and each account needs to be brute forced independently.
But all this being said, is an encrypted password safe? The answer is safer than plaintext. And this will only hold true until quantum processing becomes common place, because after that point, all standard means of encryption will fail to protect users. Gladly, we are not yet at this point.
Host : Steve Smith | Music : | Editor : Steve Smith | Producer : Zed Axis Dot Net