Using secure hashing implementations is a must in today's ever changing cyberspace.
Even as a non-IT client it's important to know a little bit about how the software works around you.
This will make you more security conscious. Knowledge breeds wisdom.
What are hashes?
Hashes are algorithms (a mathematical way) to transform data into a unique "signature" value. They are used all around you:
- Hardware uses small checksums when any communication occurs. Think about transferring data to your
- Networking uses checksums and hashes for data integrity and verification.
- Software uses hashes to store passwords and sensitive data so it's not plaintext.
- Cryptography to make data secure
Look at the following example which use sha256:
The text "This is unique" returns c9f432e653fe59450b18d26b264fdd30dfe2f0523715496f3187ef512d9abe92
The text "This IS unique" returns 88a9cb3274031c92e94581d20d81b36c1ba58a2cb0d604d9347bd7872cfb2a6e
The text "This is unique!" returns 8e9d771fcad774960e5e6f2aa5eaf5a1ac93d46de69efe6155d3db16cd4a6981
Notice that just a small change goes through to an avalanche of changes. This is something that is used in cryptography to make data secure.
The problem with hashes is that if they're not used correctly they can lead to security breaches.
Hashing is used in many places where it's function is kind of critical to the correct functioning of the system. Password storing mechanisms, transmission of data on the internet, checksums, verifiying integrity of data, used for authentication.
Even if you think your application is unbreakable remember that any application is the sum of all it's parts from hardware, drivers, firmware, operating system, underlying libraries and the code you write.
If any of those levels has a vulnerability then your application is vulnerable too.
If you have applications that save the password in plaintext you're putting all your clients and users in danger.
The same is true if your application hashes in MD5.
If still use MD5 or anyother insecure hashing algorithms
for passwords you're looking for trouble.
SHA1 has been broken but this does not mean that sha1 is totally unusable. Go to https://shattered.io/ and view more info about this.
I'd recommend switching to SHA2 or SHA3 implementations just to be sure.
This then brings us to the problem of data privacy.
Whenever there is a breach, your username, full name and password possibly with other data make it easy for others to impersonate or try to hack all your accounts.
Data breaches occur every day to huge corporations. Just head up to https://haveibeenpwned.com/ to verify if data containing your account has been compromised somewhere.
There are data breaches daily on various websites we hear about. The most recent has been the Yahoo breach. This makes you wonder how many people know your full name in combination with username and password on the dark net.
How to implement it the correct way?
You could even go so far as hashing e-mail and username's so if an attacker ever gains access he can't do anything with the data. Keeping it practical you should use a very fast hashing function or even encrypting the username and e-mail pair in the database. This does bring some overhead but if you care about your users it won't actually matter anymore afterwards.
You can always talk to your developer or the teams of people that maintain your IT department about hashing
In case you don't have any specialized software developer or a cyber security specialist you can always contact me via the contact page for more information.