After the big Adobe password fiasco, I read that the stored user account passwords, which were stolen, were encrypted rather than hashed. What's the difference between the two, and which would you suggest to keep enterprise passwords safe?
Ask the Expert
Got a vexing problem for Michele Chubirka or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Passwords have taken a beating over the past year. There seems to be little question among industry professionals that this antiquated method of authentication needs to go gently into that good night, and the Adobe Systems Inc. compromise of more than 130 million passwords is proof. According to various news sources and contrary to best practices, Adobe chose to encrypt rather than hash its stored user passwords.
Separate from the discussion regarding the merit of a chosen encryption method and its implementation, Adobe's choice to encrypt versus hash completely mystified the security community. This is because of the essential difference between hashing and encryption with regard to password storage.
In short, hashing involves using a cryptographic function to convert an arbitrary number of plain text characters to a fixed-length, encoded string. Hashing is a one-way operation, while encryption is reversible. In other words, with hashing, there should be no way to retrieve the password; you're only matching the hash every time the password is entered. In theory, no one has the original password, except for the user. The intention is to ensure password confidentiality, making it known only to the person creating it.
Ideally, the password is also "salted," which is when randomness is added to the hashing function in order to reduce the likelihood that two passwords will have the same hash. The "salt" is different for each password, increasing the difficulty of cracking the password and determining the clear text.
A one-time password (OTP) is optimal for authentication, but hashing with salt is always preferable to encrypting the file with a single symmetric key as Adobe did. While not impossible, cracking is much more difficult with passwords that are hashed and salted. Therefore, it should have been the method used by Adobe.
What's the takeaway? The Adobe breach is a cautionary tale for all organizations to carefully examine their own password management practices. Hold vendors accountable for insecure methods, keeping in mind the custodial trust we have for the protection of user credentials and confidential data.
Dig Deeper on Password management and policy
Related Q&A from Michele Chubirka
How Aorato's Directory Services Application Firewall protects Active Directory, and why it's useful for enterprises. Continue Reading
The definition of identity governance has evolved to include a tool that could prove challenging for enterprises to implement. Continue Reading
After a failed SSO implementation, is there any benefit to an enterprise trying again? Expert Michele Chubirka discusses. Continue Reading