At Patriot Software, we’re using one of the most up-to-date password hashing algorithms out there for our online accounting and payroll software, which is still considered cutting edge.
Usually, people like to let a hashing algorithm run around for a while in the wild and see how it does. But we’ve adopted it very early on because of its high level of security and ease of implementation. It’s really powerful and one of the hardest to crack.
What is Password Hashing?
In case you don’t know, hashing is the operation by which you put information into an algorithm, and you scramble it up using a cipher or some other method that makes it indecipherable.The difference between hashing and encryption is that encryption is reversible and hashing is not. A password hash works one way and you cannot undo it. So, when you type in a password to a website it gets hashed and saved, and when you type it in the next time, nothing actually knows your password is the right password. All it does is hash it and compare the results to something that is saved and if it matches, you’re in. There is no way for a person to reverse engineer your password out of a hash. They would have to match randomly generated strings of password information to complex hashed information through an incredibly complex algorithm in order to crack a password.
Why Use a Hash Function Instead of Encryption?
Why is the method important? When a company stores your password with a hashing algorithm, the objective is twofold: to prevent someone from logging into your account, and, more importantly, to prevent them from accessing your password.
If someone breaks into one of your old Myspace accounts, they’re not going to get anywhere. But if they can get one of your passwords, they can can surmise you’re using that password someplace else and try and get into something that is more lucrative.
In hashing, the way bad guys figure out what kind of password you use is to determine what kind of algorithm and implementation you use, and then they brute force it. Basically, they generate a list of passwords, called a password dictionary, and they run them through the algorithm until they find a match–and that’s how they know it’s your password. The more complex your algorithm is, the more difficult it is for the bad guys to figure out what your password is, even if they have your hash database. The higher difficulty means a lot more computing power is required … so much so that the effort and know-how needed to do it [determine password] makes the potential gain of actually doing it counterproductive.
Password Salting Adds Extra Security
Most times, when a bad guy tries to steal information, they aren’t targeting a specific person, so they’ll want to get as much as they can. You might think, “Wow, what if my password is the same as someone else’s by chance? Won’t they get a two-for-one if our hashes match?” In a badly made system, sure; but not in ours. A very important and, sadly, often overlooked way to deal with this is called salting. A salt is a set of random characters added to the end of a password before it is hashed and saved. This value is public information, so they’ll know what those characters are, but the purpose of this value is to make it so that two password hashes of the same character string don’t look the same anymore because of the appended information that won’t be the same. This way, they can’t just generate a dictionary of hashes and compare them to a list of hashes, because none of them will match, due to the password salt. This means the attacker must generate an entire dictionary of test values for each user password in the database, greatly increasing the cost of a successful dictionary attack.
Moore’s Law = New Threats
Moore’s law states that computing power will basically double every two years. So, we could postulate that even if a cryptographic hash function is powerful now, in 24 months that power will be cut in half. Or, you could say that the sharks get bigger and meaner every two years. Sure, you can fend off Jaws now, but in two years you’re going to need a bigger boat.
To be clear: It’s not a matter of if a password can get cracked, but how much time and power go into cracking it. What strong hashing algorithms do is make cracking passwords such a time and energy suck that those people who’d want to do bad stuff move on to lower hanging fruit. We stay ahead of that curve by implementing the best stuff, on top of all our other security features. By increasing the complexity of your algorithms, you keep moving the fruit higher and higher up the tree. We do that here, on top of all our internal encryption and other security methodology.
Hashing Algorithm Updates with User Empathy in Mind
Another plus with hashing is the ease with which you can scale up its potency without interrupting your user. Having empathy for users is important; and even more so when dealing with user passwords. When we upgraded our algorithm here at Patriot, we deployed it in such a fashion that the user didn’t have to re-enter new passwords. We automatically rehashed their existing passwords with the new algorithm and re-secured at the highest level. That’s really nice because we don’t have to shut down the system to do that, or annoy our customers.