Sunday, June 10, 2012

Password Strategies Being Improved On Sites

To stay ahead of hackers, security strategies must continue to improve


Password strategies changingWe have been talking about making sure that you take responsibility for your passwords for online accounts because you are the last line of defense against hackers. It is important to make sure that you do not duplicate the same passwords across online accounts because if they get your password on one account, they now have an advantage to gain access to another online account. But, with all the recent news of sites being hacked and files of passwords being taken, it causes one to be concerned as to what is being done to protect our online information beyond your having a unique and complex password to protect your online information. So, what are the companies doing to protect my password further than they are currently doing?

With the recent hacking of LinkedIn and eHarmony, exactly what are sites doing to protect our passwords from being taken and then used against us? Fortunately, there are things which can be done in this effort by companies. There are probably a few sites out there which continue to store a password in clear text. That is where it is stored in a database which if you could see it, would look exactly like you type it in. That is the worst situation, but not to fear as reputable sites are way beyond that. Just about every site on the web today is employing some form of hashing.

The idea of hashing is to combine the password with some other value (hash value) and come up with a fixed length value which is stored in the database. When you log on, the password you entered is combined with the hash and then compared with what is in the database. If they match, you are given access. The hash value is stored in code and not accessible by hackers. If hackers are able to get to the hashed password, they are going to have to figure out the hash value to unlock the password value. This has worked great for years, but as computer equipment gets faster and the hackers learn new skills, this method needs to be enhanced to protect us further.

With secure SSL (HTTPS) logons, we stop hackers from grabbing things from the Internet and using them. So hackers have to resort to hacking, either your local device or the servers where the passwords are stored. One the changes to the password storage is the use of encryption to protect your password further. This is accomplished by applying a private key to the password and changing every value in the file based on the private key. There are a number of variations of this, but you have to have the key to unencrypt the password to then be able to begin the validation process of authentication.

With the recent hacking of LinkedIn, they are working on new strategies for protecting passwords for their users. This includes a new technology called Salted Passwords. This one looks to hold the most promise for web sites to protect passwords from being stolen and then used. If you can make a stolen password from a site's database virtually unusable, you have protected your site's users and that is key. Notice that I said "virtually". At this point in the world, there is nothing which is 100% guaranteed as being unbreakable. Just look at all the hacking being done to some of the security agencies around the world.
There are many ways in which passwords can be stored, with varying levels of security. Salted password hashing uses a non-reversible hashing algorithm with the inclusion of a randomised element to make it more difficult to obtain user passwords.

One of the things which makes the salted passwords harder to crack is that another separate entry is stored along with the password for the salt value. This means that hackers are going to have to figure out how to crack the password, however it is changed to unreadable characters, and crack the salt value, however that was set to unreadable characters. This makes it much harder for a password to be cracked, though not impossible.

For now, the "Salt Passwords" provide hope to make it much more difficult for hackers to figure out your password. Once a company identifies they have been hacked, the salt passwords could give them far more time to notify all their users to change their passwords and prevent hackers from gaining access to individual logons. We can hope that even more methods are determined and employed to further stop hackers from taking advantage of passwords taken in mass from websites. Technology has to continually work to stay one step ahead of hacking and stolen password files.

No comments:

Post a Comment