Download the podcast "How LinkedIn Could Have Avoided a Breach"
In the wake of the recent LinkedIn password breach where LinkedIn lost control of over six million passwords, the question of how Internet sites securely store log-in passwords has come into global focus. I recently sat down with Patrick Townsend, founder & CEO of Townsend Security to discuss security best practices for creating hash value passwords:
1. Use only an up-to-date hash method
Because computers have become stronger, faster, and more powerful over the past decade, some of the older hash methods should no longer be used. MD5 and SHA-1 are two outdated hash algorithms that are considered no longer secure. Unfortunately, LinkedIn was using SHA-1 and a poor implementation method, which is what most likely led to their data breach. The newer hash algorithms, SHA-256 and SHA-512 are up-to-date and considered much more secure.
2. Use a hash based on industry standards
The National Institute of Standards and Technology (NIST) publishes standards of hash algorithms. The SHA-2 family of hash algorithms (which includes SHA-256 and SHA-512) is published by NIST as a standard. The goal at NIST is to keep track of hash standards, test and review hashes on a regular basis, and know when it’s time to update them. As hash algorithms become weak and outdated, NIST will withdraw recommendation of those hashes and publish the most secure and up-to-date algorithms. Sites using hashes should always use the most up-to-date hash standards.
3. Use Salts
In hash algorithms, a salt is a critical piece of data that is particularly crucial in Internet applications. A salt strengthens the end result of one-way hashes. If you are hashing small amounts of data like a password or credit card number, using a salt is critical to prevent a “dictionary” or “brute-force” attack.
Ultimately, it is not enough for an Internet site to enforce the use of strong passwords. The problem with thinking that most people will choose strong passwords was revealed with the LinkedIn breach where we saw that too many people were using passwords like “linkedin” and “123456”. Even if a site forces a user to create a strong password by requiring certain length or characters, passwords can still be hacked attacked if they are not protected with a proper hashing method or encryption. These methods should always be employed using hashing best practices. Download our podcast "How LinkedIn Could Have Avoided a Breach" to hear even more about this breach and ways you can keep a similar breach from happening to your organization.