Anybody's website can be hacked. Everyone from small personal website owners to the US government have suffered from this crime. So nobody is immune. However, there are some basics which you can do to ensure that if it does happen, not much damage can be done.
Recently, it was discovered that somebody had managed to get hold of about 6.5 million passwords from Linkedin. That isn't quite as bad as it sounds as it was only a list of encrypted passwords. So that's OK isn't it?
Well no it most certainly is not alright. What was most astonishing to me was that the passwords were single pass encrypted without a salt.
Sorry about that. It is hard to write such an article as this without being too technical. For some time now it has been considered common sense that when storing passwords in a database, they should be encrypted. That way, if a hacker does get hold of a database, they will not be able to read the passwords stored in it. Encryption works by applying mathematic formulae to the password in such a way as to produce a string of characters that can only be reached by applying the same formulae to the same password. It is not possible to apply the same formulae to the encrypted password to go into reverse and find out what the password is. This is known as one-way encryption.
Not only that, but the formulae work in such a way that if you were to just change one character of the password, the resulting encrypted password would look completely different.
That sounds enough doesn't it? Well no it is by no means enough. Hackers keep what are known as Rainbow tables. That is a list of common passwords along with the encrypted version of that password. Therefore, if your password is on this common list, a version of your password probably exists on one of these tables.
In the case of Linkedin, this is all that they did. They encrypted passwords just once with a common method of encryption for which many rainbow tables exist. This is astonishing for a company of this size.
So the next stage of security with passwords is multi-pass encryption. For example, imagine if you encrypted the already encrypted password. Not only does this mean that you would have a version that is not on a rainbow table, you will have doubled the time it takes to check an encrypted password. This is a great idea and with the advent of fast computer processing power it makes sense to encrypt a password 100 or even 1000 times to increase security.
But security doesn't stop there. If you do this then you may have two users on the system with the same password. You cannot tell what that password is but you can tell that it is the same. To avoid this security hole you use something known as a salt. That is a set of random characters that you concatenate onto the password before you encrypt it. You store the salt with the password. This ensures that the encrypted passwords for users are always unique and this would be the case even if everyone had precisely the same password.
At Net Quality we use 512 bit multi-pass encryption of passwords along with 512 bit salts to ensure that all stored passwords are completely protected. In other words, our stored passwords are several million times more secure than Linkedin's password database.
No matter how well companies like us encrypt stored passwords, any system is only as safe as the passwords entered by the users. So passwords such as pass, 123456, letmein and mypass are so popular as to be almost pointless. So make sure that your password is as long as possible with as many combinations of letters, numbers and symbols as possible whilst remaining memorable. That way, you greatly reduce the chances of having your accounts hacked.