The United Kingdom’s Information Commissioner Office has published a security report on vulnerabilities that can often lead to data breaches, highlighting the need to engage in “hashing” and “salting” techniques to protect consumer passwords.
The report was spawned from the ICO’s investigations into data breaches. Those investigations have led to serious and costly monetary penalties that have netted almost about a million pounds to date. The fines have ranged from charging the British Pregnancy Advice Service about 200,000 pounds after user details were revealed to be stored insecurely on the charity’s website to Sony Computer Entertainment Europe failing to updating its software, leading to the details of millions of customers being compromised.
“A hash function is a one-way method which converts a password into a hashed value, often simply called the ‘hash,’” the ICO said in the report. “When a user first registers with a service and provides a password this is hashed and only this hash value is stored. When a user returns and enters their password, the hash is freshly calculated then compared with the stored hash. If the two hashes match, then the user can be authenticated.”
“A ‘salt’ … is a string of random data unique to each user,” the ICO said. “The salt is used by combining it with the user’s password, then hashing the result. The salt is then generally stored alongside the hash in a database. When a user logs in to the service the stored salt and the supplied password are freshly combined and hashed. As in the unsalted method, the new hash and the stored hash are compared to determine if the user should be authenticated. Even though salts will generally be available to any attacker who already has the related list of password hashes, using salts further increases the time and effort involved in mounting a password cracking attack.”
The ICO’s report also called for the need for businesses to have a well-designed “security architecture,” and it recommended what organizations can do to protect data stored on systems that include the segregation of internal-facing and external-facing systems that can aid with data security.
The ICO’s report also outlined the need for businesses to have well designed “security architecture.” It made some recommendations about what organizations can do to protect data stored on systems, including suggesting that the segregation of internal-facing and external-facing systems can help with data security. ICE also identified that businesses should have a software policy in place, and to apply the security updates “as soon as is practical.”
“In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed,” said Simon Rice, ICO’s group manager for technology.
Heartbleed is a bug that existed in some versions of encryption software developed via the open source “OpenSSL Project.”
“Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics,” added Rice. “If you’re responsible for the security of your organization’s information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you.”