Salt, then hash: How companies like LinkedIn should protect their user data

Salt, then hash: How companies like LinkedIn should protect their user data

Professional social networking site LinkedIn is in crisis mode after reporting the passwords of six million users have been stolen.

The passwords were posted in their encrypted form on a Russian forum on Tuesday.

However, security experts have expressed concerns with the weak level of encryption (SHA-1) used, saying it is only a matter of time until they are decrypted.

Last year hackers managed to steal personal information (including credit card numbers) from 77 million Sony Online Entertainment users, while earlier this year American online shoe store, Zappos.com, had personal information of 24 million of its users stolen.

Over and over again, companies that should know better have been caught short when a major breach shows they did not pay enough regard to protecting their users’ information. As security experts often point out, many corporations do not employ simple, best-practice techniques when storing their customer data.

This is bad business. As more and more customers shop and interact with businesses online, security is becoming more and more critical. Companies that don’t protect their users’ information appear negligent at best.

So what should leading companies do to protect user data?

Hashing

When companies want to keep information safe they use a process called “hashing”. This involves using an algorithm to turn someone’s password into a string of letters and numbers. There are lots of these algorithms, but some are more common than others. The one used by LinkedIn, for example, is very well known.

The algorithm conversions remain static, so there is only one conversion for every word.

So, using the MD5 algorithm, the word “password” turns into “5f4dcc3b5aa765d61d8327deb882cf99” and this is the only version of that word on the particular algorithm.

Sony, Zappos.com and LinkedIn managed to do this though. But hashing isn’t enough. They should have also salted.

Salting

While it is supposed to be technically impossible for hackers to reverse the algorithms there are ways around this.

Hackers have started to create a dictionary of code, matching the hashed combinations to their original counterparts.

This involves running the particular algorithm on words and then converting them into a dictionary.

If you put “72b302bf297a228a75730123efef7c41” into Google, the very first result will inform you it is the MD5 algorithm code for “banana” – which is correct.

To get around this, companies use a technique called salting.

This involves adding random bits into the password before hashing it. A very simple example of this would be taking the password “banana”, turning it into “b1adn2a3n4a5” and then hashing it.

This prevents hackers creating a dictionary and makes it exceptionally hard to hack.

Preventing hacks

While the exact cause of the LinkedIn attack isn’t known yet, many hackers use an SQL (Structured Query Language) injection to gain access to secure information.

SQL injections are a very simple and common tool used by hackers and it was the method used against Sony.

It involves typing specially coded instructions into web forms in order to gain access to previous answers or certain databases.

Even a simple mailing list form can be manipulated to let a hacker into personal information.

Many companies, such as Sony, underestimate how such simple forms can be misused. That thinking means it is unlikely that simple forms would attract high levels of protection, and leaves them open to attack.

There are two ways to protect against SQL injections.

The first is “input validation”. This means that what is put into the form actually matches what it’s supposed to be. So if you’re supposed to be entering your email address, the form will only accept entries that resemble email addresses and not code.

In addition companies can limit who can actually access the database, allowing only certain people to edit the code.

Addressing leaks

Astonishingly, businesses do not always fix their security flaws even when they are attacked.

Sony, for example, has been hacked in the same way twice.

As Dr Philip Branch, network security expert at Swinburne University, explained on The Conversation: “Certain people may have seen the first, really big attack, felt that security at Sony is inadequate and thought: ‘What else can we get up to?’”

As rumours of a breach on music-based social network Last.fm spread today, it is time for all leading companies to evaluate their online security frameworks

Trending

COMMENTS

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments