Blog

May 5^th is Liberation Day in my country (the Netherlands). Although the Allies did not fully liberate The Netherlands in August 1945. Soon after the war, the Dutch government decided that Liberation Day would take place on May 5^th, the date of the German army’s defeat.  This year, May 5^th was on Thursday and the first Thursday of May is also known as World Password Day.

The main objective of this day is to raise awareness of the importance of generating secure keys to prevent the theft of valuable personal information or even worse: theft of your own identity. Unfortunately, in the ever-increasing digitalized world, a loss of your password to all your accounts is becoming more damaging. 

This year both Liberation Day and World Password Day were on May 5^th. With a bit of creativity, you can make a bridge between World Password Day and World War II. As most people know, World War II was the time that the British cracked one of the most sophisticated codes: the Enigma code. Because of this, the Allied forces were able to eavesdrop on all German communication. In the end, breaking this code accelerated the capitulation of Germany and because of this, the cracking of the Enigma code saved millions of lives. 

In this post, I would like to show how password storage evolved throughout the years and how service provider stores your passwords in their databases. But let us jump into the origins of World Password Day first.  

World Password Day origins 

The origin of World Password Day started in 2005 when security researcher Mark Burnett published his book “Perfect Passwords”. In this book, he addressed the different strategies for setting up a strong password. In this book, he proposed to establish a day that would remind all users around the world of the importance of passwords. It was not until 2013 that his idea came to fruition. Software company Intel Security (famous for its antivirus software McAfee), started with the initiative to declare World Password Day which is, since 2013, celebrated on the first Thursday of May.  

Today, people still see passwords as an inconvenience: as something you must tolerate to be able to use a service you need to have access to. World Password Day tries to change this mindset by pointing out why a strong password is important and what the consequences of a very weak password can be. 

Protecting your digital house

Code cracking and the battle between the code maker and the code breaker have been going on for centuries. Decades ago, your valuables (for instance, money, information/administration, and pictures) were stored in a house or in a bank. These locations were protected with a key or an alarm code. Without this, it was difficult to enter a premise because:  

1. A criminal had to be physically present at the premise to attempt to steal valuables. 

2. A criminal needed to breach the premise with a risk of being caught. 

Nowadays, your house will have fewer valuables because most is stored in a digital database. Because the limitations of a physical location are removed, the chance to be a victim of a crime is bigger: 

1. A criminal does not have to be physically present anymore to try to gain access to your valuables. Someone from a different part of the world does not have to physically travel to your location to try and steal your valuables.  

2. The chance of being caught during an attempt is low because it is easy to hide your identity in the digital world.  

So physical houses to store valuables are replaced by digital houses: databases in which people store their valuables like digital money (for instance cashless money and cryptocurrency) and personal information (for instance administration and pictures). Protecting this digital house is important because the harder it is to break-in, the bigger the chance that a cybercriminal cannot enter. To protect your digital house, a key need to be created: a password. The more difficult it is to steal, the less chance there is that somebody will access this digital house. Following the right steps to create a strong password that prevents criminals to enter your digital house is important: 

• Use a password manager that generates passwords of at least 20 characters, combining letters, numbers, and symbols (I use KeePass: a free but strong password manager) 
• Never use the same password twice 
• Reset your most important passwords every 90 days by generating a new random password with your password manager 

What many people do not know is that there is a “catch” to this. Your digital house (database) has a property owner (the service provider). This property owner stores your key (password) and every time you want access to your digital house you visit this property owner to pick up your key. Otherwise, you cannot enter your digital house.  

The key to enter your digital house is stored in another database. The way this is done is important because in case the landlord’s database is breached by a criminal, the keys should be hidden. 

This means that when a password is visible for a criminal in a database, the use of a password is obsolete. The criminal can just read the characters of the password in combination with the login credentials: free entry to your digital house.  

To prevent this, keys can be protected inside a database by encrypting them. Instead of plain text, a key is stored in a “gibberish” code that needs to be decoded to be able to access a digital house. This way, it is more difficult for a criminal to get access to your digital house. 

This is the true secret of password storage: most people have no idea that the way that passwords are stored is as important as having a strong password.  

How the storage of passwords started: plain text passwords 

In the earliest days of computers, passwords were stored in databases as plain text. If you wanted to sign in, a gatekeeper application asked for your password. This application would take what you entered as a password and checked this to whatever plan text in the database was stored and after a match, you were granted access. 

In the beginning, this worked without any serious issues but as the internet evolved and expanded, malicious hackers started to gain unauthorized access to the databases where plain-text passwords were stored. They downloaded the plain-text password databases and with this, had immediate access to the passwords of all users that stored their passwords in those respective databases. Because of this, developers and system administrators needed a solution. This solution was called “Password Hashing.” 

Password Hashing 

Password hashing is driven by “Hashing Algorithms.” Hash functions take an input (the piece of text that is your password) and turn it into a string of text that always has the same length.  

There are different hash algorithms available but the most used hash algorithms are the MD family (MD2, MD4, MD5, and MD6) and the SHA algorithm family (SHA-1, SHA-2, and SHA-3). Windows, for instance, uses the MD4 algorithm family. 

To get insight into how a Hashing Algorithm looks like you can use a translator. The translator will show how a specific text is translated in a hashing algorithm. The MD4 hash for “Liberation Day” is:  f40ac3fabca1ab7b07983fc0789be022. The SHA-3 512 for “Liberation Day” is:  

549dec26cf7a366080be91045eab744f127a0c39b49012ff1894be4114188d71a6e2f57014da394e4d251f963daf206ad940657af787f38aca652afc54f62af0 

As you can see, the hash key of the SHA-3 512 algorithm is much larger than the one used by Windows: the MD4. The more complex the algorithm, the harder it is for a hacker to hack your password.  

Hash functions are different from encryption because they only work in one way: you can calculate the hash of a password, but you cannot take a hash and turn it back into the original data. By using hashes, a company can verify that you are logging in with the right password without storing your actual password.  

Hashing algorithms out there are optimized for speed: the more hashes per second they can calculate the better. This makes them vulnerable to “Brute-Force” attacks. With a “Brute Force” attack a hacker can still get your password by calculating every password and then reversing the hash function. This can be done by special computer programs. With the current GPUs that are out there, 292 million hashes can be tried. This means that it is only a matter of time before a hashed password is cracked by using the Brute Force technique. And the easier the hash algorithm, the quicker the password is cracked.  

If this is not quick enough, a hacker can also use “Rainbow tables” to accelerate the cracking process. Rainbow tables are lists of precomputed hashes that can be used to quickly find weak and commonly used passwords.  

An additional issue with hashing algorithms is the fact that the hash code is always fixed. This means that if someone else also uses “Liberation Day” as their Windows password, the hash will be the same: f40ac3fabca1ab7b07983fc0789be022. This means that when a hacker cracks the hash of a certain password, he will also know the password of all the people that use the password “Liberation Day” to log into Windows.  

You might think it is very unlikely that different people use the same password but think again: the password “qwerty” for instance has been found over 3 million times in data breaches. It is MD4 (Windows) algorithm: 2a4bbeffd06c016ab4134cc7963496d2.  

So how can this at least be randomized to create at least random hashing algorithms that are never the same? The answer to this: salted password hashes. 

Salted Password Hashes 

The “Salt” is added before that password is hashed. It is a piece of random data, but it ensures that the hash of your password will always be unique, even if others use the same password. So, if you use the password “qwerty,” the hashes will be different for every person that uses this password. This means that if a hacker cracks the password for one person, it cannot be linked to all other persons that use the same password. Because of this, a hacker has to Brute Force on an individual level which can take ages. This means that salting is a good defense against precomputed tables like Rainbow tables. Salt slows down a Brute Force attack, but it is still possible.  

Slowed down hash functions: the perfect defense against Brute Force attacks 

To completely prevent a Brute Force attack, you can use another technique: a special hash function. This special hash function is deliberately slowed down. Examples of this are bcrypt, scrypt and argon 2. These hashes completely neutralize brute force attacks.  

These hash algorithms take a password as input in combination with a “salt” and a “cost.” The “cost” defines the number of rounds the algorithm goes through and this effectively slows down the algorithm.  

Over time, computers become faster, so the expectation is that Brute Force attacks against these algorithms become easier. That is because they can simply try more combinations in a shorter time span. You can counter this by increasing the “cost” parameter, so the algorithm remains resistant to these attacks.  

Options for a service provider to store passwords 

Service providers currently have 4 options at their disposal to manage passwords: 

• Plain Text 
• Hashed Passwords 
• Hashed Passwords with “salt”  
• Hashed Passwords with “salt” and “cost” 

Normally, developers strive to make algorithms faster. Paradoxically, a better hashing algorithm for passwords is one that is slower which is computationally more expensive. 

Application developers like Facebook and Google want to provide useful services to their customers. They have tens of thousands of customers that want to log in at the same time. If they use a hashing algorithm that takes over 5 seconds per hashed password on a server, that means they need 5 servers just to allow 1 user per second. They would need 50.000 servers to be able to allow 10.000 users per second to sign in. For Facebook that might be unacceptable, and they may opt for a faster but weaker hashing algorithm. 

To solve this issue, researchers are currently looking for functions like “server-relief.” Server-relief uses a slower hashing algorithm (bcrypt, scrypt, and argon 2), and does the biggest part of the hashing in a web browser when a user is signing in. It uses a workstation’s CPU instead of the computing power of the servers belonging to the service into which you are signing. 

The web browser sends a hash that takes longer to the server a user is signing in to, which then turns it into a salted and costed hash and stores it. This allows an authentication server to manage all customers signing in at the same time and to use a computationally expensive hashing algorithm without getting overloaded.  

Final Thoughts

It is hard to get total clarity of the protection that big tech companies use to store passwords in their databases. When looking around and searching storing policies of Google, Meta, Apple, and Microsoft only limited data is available about how these companies store credentials in their databases. My best guess is that all these big social media/big tech companies use at least hashing in combination with a form of “salting.” I suspect though that “costing” is not used because of the calculating power that servers require and the fact that the “server relief” technology is not available yet.  

Because of this conclusion (based on assumptions of course), I would advise doing your research when you need to store valuable information inside a database of a service provider: 

• Never set up an account if you are not sure if a database is not at least using a form of hashing, preferably in combination with at least “salting” methodology. 
• Always use Multifactor Authentication. 

• Use biometric authentication if possible. A fingerprint is unique and a hacker on the other side of the world will not have your fingerprint: you are the only person who has access to your fingerprint 

Passwords will never be 100% waterproof and there are ways to safely enter your digital home without the need for a password. I will discuss this new way of authentication in my next blog. Believe me: this will be a game-changer soon. 

Feel free to contact me if you have any questions or if you have any additional advice/tips about this subject. If you want to keep in the loop if I upload a new post, do not forget to subscribe to receive a notification by email.