Have you ever wondered how password encryption works? Here our Technical Director unpacks the basics and gives us assurance that we are in good hands.
Over the years, clients and staff have asked me,
”Can I get Jane Smith’s password? She has locked herself out.”
Every time I have to say, “No, we don’t have her password.”
Which predictably leads down the path of,
“Then how do we check when someone logs in?”
I say, “We store a hash of the password.”
“Why?” (Also, “What is that?” …More on that later…)
The short answer is security.
If we know their password:
- One of our staff could login and masquerade as this person OR one of our staff could be accused of doing this.
- Every so often, a software vendor has their data accessed without authorisation.
OK, fair enough for #1, but why is #2 relevant?
People are lazy, and not good at remembering things. I would bet a dollar that every person I know has reused a password at least once. People aren’t designed to remember 100 unique passwords.
So if I were to download a list of email addresses and passwords from a major website, I could then try those same usernames and passwords on Facebook, Gmail, Dropbox, your internet banking, etc. If I do this for 1000 people, I might get a handful of successful logins, and now I own your Facebook account.
So, what does Nimblex do?
When you type in a new password into Nimblex, it runs the password through a process called ‘Hashing’. There are a number of different algorithms for this, and as older techniques are ‘broken’, new ones are implemented.
A common algorithm for this is called ‘SHA1’.
When I type in the word ‘password’, I get 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8.
There is no way for me to work out that 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 corresponds with the word ‘password’. When the user types in their password to login, the same result will come out and we will check it against their hash in our database.
However, hashing a password is not enough.
People have a tendency to use common words as passwords. What a clever attacker can do is grab the dictionary and hash every word in it. The output of this is called a ‘Rainbow Table’.
For advanced readers – Rainbow Tables
If you want more detailed information, have a look at this Wikipedia article: Rainbow Table.
Now that you have a list of passwords and a list of hashes, you can use these to find out what the password was for this hash, 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8.
To mitigate against these attacks, we take the additional precaution of ‘salting’ our passwords.
To do this, we calculate a random sequence, e.g. @bI#%Fsddv#S. When we hash your password, we add this sequence to the password. Thus, it becomes password@b%%I#%Fsddv#S.
Now your hash is different. It would come out as 52a4c79f48d9594c5b6e034aa7089ea747f6cdd8 and so the rainbow table is useless.
This means that every time you type your password in, we have to look up the ‘salt’ that is stored with your password hash and add it to your password before we can compare the full hash and allow you to log in.
What can you do to protect your security?
We recommend two options:
- For your entire organisation, switch to a Single Sign On system. Nimblex supports all SAML2 compliant providers (Azure AD/Office 365, Google Suite, Okta, ADFS, and others).
- Pay for a password manager for your staff. We like Lastpass and Dashlane.
By Stuart Murray
Technical Director, EBMS