Websites, web applications, portals, forums and blogs allow users to login and interact with a variety of services. They allow us to comment on stories, transfer bank funds, buy almost anything we can think of, and undertake a mass of work tasks with a few clicks of the mouse and a handful of key strokes. All we need to gain access to this array of wonders is our username and a password.
However, these two very often very simple pieces of data allow access to so much of our lives. It’s no wonder that cyber crooks are so keen to get their hands on lists of usernames and passwords. By hacking into a website, cyber crooks are looking to gain access to the database where your username and password are stored. And on top of this, we do our very best to make it even more tempting for them. That’s because users often don’t like managing a large number of different usernames and passwords. Instead they use one username and password for all their logins, which is a big mistake.
So while your online banking might be locked down like Fort Knox, the small website you signed up to last week might not have the same security behind it. They are easy pickings for online scammers who can get your login data from a soft target then go see where else they can use it to get access. So what can a web developer do to protect your username and password from these nefarious ill-doers? Password hashing of course.
Back in the days of wooden money, square wheels and badly designed websites, passwords were stored in plain text, so that when the website database was hacked your password was gleaned. If you were lucky you were informed by the company running the website that they had been the victims of an intrusion and off you trotted to replace your password at that site and whereever else you used it. Password hashing, however, is a method that web developers use to obscure your password when it is stored in a database or a backend file. This helps to prevent your password from being simply read by prying eyes, both externally and internally. After all, not every database hack comes from the outside, and there are plenty of examples of disgruntled employees flogging your data.
So how do they work? Well a hash, also called a hash code, message digest, or simply digest, is created by using a hashing cryptographic algorithm such as SHA-252 or SHA-512. These convert the password plain text string using a one way mathematical conversion into an alternate fixed length text string – usually a jumble of lowercase & uppercase letters and numbers. The hashing algorithm will always produce the same hash based on the plain text string. The hash will most likely be unique to the plain text string but it is possible for a hashing algorithm to convert two different plain text strings into the same fixed length text string. This is a very small possibility, and is referred to as a hash collision. So rather than store any actual passwords in a database a web developer only stores the hash generated by the password. When a hacker gets a hold of the passwords all they see is a big column of fixed length alpha-numeric entries that are not actually anyone’s passwords. It is possible for a hacker to use a brute force attack to break a hashed password but the cost of the computing power required would make it very difficult. And to get an idea of what would be involved, check out this blog piece on password security.
Some badly developed websites still do not use password hashing, leaving a very real security vulnerability that all too often you hear about in the technology press. So if you’re a web developer and you haven’t hashed your passwords, best get to it, before they get to you.
==== About the Author ====
Ben Jones is a tech writer sharing experiences and investigations into the world of social media, online security and web hosting.