If you’re an Evernote user, then you probably remember that, after a data breach earlier this year, the company required you to reset your password. You may remember that Evernote said not to worry because its passwords were “hashed and salted.”
To people not in the security industry, “hashed and salted” sounds like something you’d order at a diner. Even when used in the context of passwords, hashing and salting aren’t sufficient to protect your data. After the breach, Evernote adopted two-factor authentication. This strategy can’t keep the company’s network from being hacked, but it can prevent hackers from accessing valuable data.
An Overview of Hashing and Salting
Cryptographic hashing is a way to store passwords without revealing their content. A hash function creates a fixed-size string of characters no matter how long the input string. For example, a simple hash function could convert letters to numeric values. Instead of seeing a password “ABCD,” you’d see the hash “65666768.” No matter how long the password is, the hash would always consist of eight characters.
Cryptographic hash functions incorporate additional properties. A cryptographic hash function is a one-way function, which means that it’s hard to invert. In other words, you’d have a really difficult time figuring out what original password generated the string “65666768.” Additionally, cryptographic hash functions are collision-free. In other words, you won’t find something equivalent to “ABCD” that will produce the given hash.
So why doesn’t cryptographic hashing provide sufficient protection for passwords? Cryptographic hashing is insufficient because most systems use one of just a few hash functions. For instance, you may have seen or heard of hash functions called MD2, MD5 or SHA. A hacker can plug your hashed passwords into one of these popular functions and decipher the entire list. In fact, you can plug hashes that were created using the MD5 function into a Google search field and generate the original password characters.
Because hashing isn’t enough, passwords are also salted. Salting combines the hashed passwords with additional data and then hashes the combination. For instance, within your password database, you could combine hashed user passwords with the user’s birthdate. The birthdate is the “salt,” and once the hashed password is combined with the salt, the salted password becomes much more difficult to decipher.
Modern password hash tools like Bcrypt make passwords more difficult to decipher. Essentially, Bcrypt might take the SHA-1 hash function and run it 750 times. The characters that the hacker sees are the 750th output of the hash function. Even Bcrypt isn’t a panacea when users create terrible passwords. No matter how great Bcrypt is, if a person chooses “password” as his or her password, even elementary hackers are going to figure it out. Also, migrating from cryptographically hashed passwords to modern tools like Bcrypt can be prohibitively expensive. This is where two-factor authentication comes into play.
Authentication can utilize three pieces of data: something you know, something you have or something you are. The “something you are” involves biometric authentication, which is not yet in widespread use. The simplest example, which you probably use every day, is your ATM card and your PIN number. The ATM card is something you have, and the PIN number is something you know.
A physical authentication token like an ATM card is just one implementation of two-factor authentication. Another example involves image-based authentication, which you’ve probably seen with online banking. For instance, you input your user name into the online banking login field. You then see an image that you’ve chosen, and below that image you see a password field. If the image that you see isn’t the one that you’ve chosen, then you are instructed not to input your password. Other systems use a password combined with a device certificate or an out-of-band authentication code delivered via e-mail or text message.
Not every business function may require two-factor authentication. For example, when employees login to punch a time clock, a username and password are probably sufficient. However, before allowing employees to remotely access crucial data, two-factor authentication is a must. Keep in mind the risk of the function, the cost of implementation and the burden at the point of login when you’re determining when to implement two-factor authentication.
About the Author: Kiri Green is a security consultant writing for a number of online publications. At her local diner, she’s comfortable that hashed and salted home fries are sufficient.