Essential Guide

Formulating and managing online identity and access control

A comprehensive collection of articles, videos and more, hand-picked by our editors

The merits of encryption vs. hashing after the Adobe password breach

In light of the Adobe password breach, expert Michele Chubirka explains the difference between encryption and hashing when storing passwords.

After the big Adobe password fiasco, I read that the stored user account passwords, which were stolen, were encrypted...

rather than hashed. What's the difference between the two, and which would you suggest to keep enterprise passwords safe?

Ask the Expert

Got a vexing problem for Michele Chubirka or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Passwords have taken a beating over the past year. There seems to be little question among industry professionals that this antiquated method of authentication needs to go gently into that good night, and the Adobe Systems Inc. compromise of more than 130 million passwords is proof. According to various news sources and contrary to best practices, Adobe chose to encrypt rather than hash its stored user passwords.

Separate from the discussion regarding the merit of a chosen encryption method and its implementation, Adobe's choice to encrypt versus hash completely mystified the security community. This is because of the essential difference between hashing and encryption with regard to password storage.

In short, hashing involves using a cryptographic function to convert an arbitrary number of plain text characters to a fixed-length, encoded string. Hashing is a one-way operation, while encryption is reversible. In other words, with hashing, there should be no way to retrieve the password; you're only matching the hash every time the password is entered. In theory, no one has the original password, except for the user. The intention is to ensure password confidentiality, making it known only to the person creating it.

Ideally, the password is also "salted," which is when randomness is added to the hashing function in order to reduce the likelihood that two passwords will have the same hash.  The "salt" is different for each password, increasing the difficulty of cracking the password and determining the clear text.

A one-time password (OTP) is optimal for authentication, but hashing with salt is always preferable to encrypting the file with a single symmetric key as Adobe did. While not impossible, cracking is much more difficult with passwords that are hashed and salted. Therefore, it should have been the method used by Adobe.

What's the takeaway? The Adobe breach is a cautionary tale for all organizations to carefully examine their own password management practices. Hold vendors accountable for insecure methods, keeping in mind the custodial trust we have for the protection of user credentials and confidential data.

This was last published in March 2014



Find more PRO+ content and other member only offers, here.

Essential Guide

Formulating and managing online identity and access control

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: