The recent Gawker incident should serve as a reminder to all of us that password security is not something that can be taken for granted. Gawker is a popular culture blog site and they own or are affiliated with a handful of other sites numbering around fifteen in all. Last week, a group of hackers released the passwords for some 1.3 million of Gawker’s users.
Although Gawker did encrypt their passwords and did not store them in plain text, they were easily cracked because Gawker was using an encryption standard from the 1970s called Data Encryption Standard.
This was not Gawker’s only mistake – their own employees used insecure passwords across multiple systems, which allowed the hackers to access chat logs containing server names and passwords for their web and database servers. Without access to these servers, the hackers would not have been able to exploit the insecure passwords. Only temporary passwords (where the user is forced to change it the first time they log in) should ever be sent via email.
.NET provides us with a very strong cryptographic services API. It provides classes for both the same Data Encryption Standard that Gawker used, as well as for a “Triple DES“, which, as the name implies, simply runs DES three times. It also provides a more secure (though not invulnerable) RC2 class. Both of these technologies are used for two-way encryption – where you want to be able to decrypt the password at some future time. But if you are operating a website, you should have no need to decrypt your users’ passwords. So the class that we would use for passwords is a one-way encryption, or, in other words, one that uses a cryptographic hash function. With a one-way encryption, your site is only storing a computed value (a “hash” value) based on the password, rather than something that allows you to retrieve the password.
SHA-1 is a strong hash-based algorithm. It will encrypt any size of message into a 20-byte string and there is no known attack against it other than brute force. Using .NET’s SHA-1 class to encrypt your passwords is very simple:
public byte EncryptString(String Password, String Key)
System.Text.UTF8Encoding enc = new System.Text.UTF8Encoding();
byte PasswordBytes = enc.GetBytes(Password);
byte KeyBytes = enc.GetBytes(Key);
HMACSHA1 sha1 = new HMACSHA1(KeyBytes);
But remember: no algorithm is perfect – brute force will eventually crack anything given enough time and computing power – and any algorithm can be defeated by poor passwords or poor security practices.
Don’t get caught out in the cold on security and protecting your online systems. Talk to our eBusiness Solutions team and let’s make sure your data is protected as much as possible in the cloud.
image credit: scott schiller on flickr