Not long time ago that we saw a Russian hacker post 6.5 million Linked-In password hashes on a Russian hacker forum. After observing the disclosure of the hack, one thing highlighted is that LinkedIn stored passwords using SHA-1 encryption that comes with SSL and TLS protocols.
Using hashes to store passwords – Is it enough?
Storing passwords in clear text would mean lethal for any common user, storing hashes of passwords would make life relatively happier for him. But, is this enough? What are the methodologies that a developer can implement to make password storage more secure and make it difficult for the attacker to crack? Read on…
Salting of hashes:
The concept of salting is simple. Salting is a process of adding salt (a random integer, string, alphanumeric etc.) to your password before computing the hash. This will ensure the randomness in the final hashed password. This would not let the attacker to use the readily available tools, but would challenge him to write a piece of code which would be lot more complicated and time consuming for him.
Possible errors in salting hashes:
- Using same salt value for all the passwords
- Using too short salts
Making it difficult for the attacker using the concept of KeyStretching:
This refers to a technique to make relatively weak password (referred as key), difficult to crack using the brute force attack by increasing the time taken to crack each case. The final result is termed as the enhanced key. This is preferred to be at least 128 bit long to make brute-forcing least feasible form of attack. A common technique in keystretching would be to apply a cryptographic hash function or a block cipher fuction repeatedly using a loop.
In this article, we have seen a real life scenario of linkedIN attack, and also seen what are the possible ways to fix such kind of attacks by making is less feasible for the attacker.