When a company says it has suffered an attack that has resulted in hackers accessing its databases, there are some important questions that they should answer.
One of them is: how well were you looking after users’ passwords?
If they simply say the passwords were “encrypted”. Well, that doesn’t really put my mind at rest.
Unfortunately the general public uses the term “encrypted” a lot, and puts a lot of weight behind the term believing that it means that if something is “encrypted” it can’t be decrypted by a hacker. But, sadly, that’s often not the case.
When a password is properly salted and hashed, however, it goes through a one-way process which can not be easily reversed. Indeed, it can take considerable computer power and time to have a chance of determining a single, simple password let alone drill through a database of many millions.
When I speak to the broadcast media, I find it very difficult to explain salting and hashing in a way which doesn’t make their eyes glaze over. Sadly, it can make for pretty dull TV or radio and they feel they simply don’t have the time to explain it all.
Which is probably why the media tend to simply say “encrypted” and not worry about it…
Fortunately, you’ve read this far. Which means you’re interested. And some smart people from the world of security have made short videos which explain why salting and hashing user passwords is a good idea, so I don’t have to.
First up is award-winning security blogger Javvad Malik, who uses a shoe to help him explain things:
And here is Rackspace’s Bret McGowen (he doesn’t use a shoe, but does have a whiteboard):
I hope that helped. If it didn’t, leave a comment below.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.