Manage Learn to apply best practices and optimize your operations.

The merits of encryption vs. hashing after the Adobe password breach

In light of the Adobe password breach, expert Michele Chubirka explains the difference between encryption and hashing when storing passwords.

After the big Adobe password fiasco, I read that the stored user account passwords, which were stolen, were encrypted rather than hashed. What's the difference between the two, and which would you suggest to keep enterprise passwords safe?

Ask the Expert

Got a vexing problem for Michele Chubirka or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Passwords have taken a beating over the past year. There seems to be little question among industry professionals that this antiquated method of authentication needs to go gently into that good night, and the Adobe Systems Inc. compromise of more than 130 million passwords is proof. According to various news sources and contrary to best practices, Adobe chose to encrypt rather than hash its stored user passwords.

Separate from the discussion regarding the merit of a chosen encryption method and its implementation, Adobe's choice to encrypt versus hash completely mystified the security community. This is because of the essential difference between hashing and encryption with regard to password storage.

In short, hashing involves using a cryptographic function to convert an arbitrary number of plain text characters to a fixed-length, encoded string. Hashing is a one-way operation, while encryption is reversible. In other words, with hashing, there should be no way to retrieve the password; you're only matching the hash every time the password is entered. In theory, no one has the original password, except for the user. The intention is to ensure password confidentiality, making it known only to the person creating it.

Ideally, the password is also "salted," which is when randomness is added to the hashing function in order to reduce the likelihood that two passwords will have the same hash.  The "salt" is different for each password, increasing the difficulty of cracking the password and determining the clear text.

A one-time password (OTP) is optimal for authentication, but hashing with salt is always preferable to encrypting the file with a single symmetric key as Adobe did. While not impossible, cracking is much more difficult with passwords that are hashed and salted. Therefore, it should have been the method used by Adobe.

What's the takeaway? The Adobe breach is a cautionary tale for all organizations to carefully examine their own password management practices. Hold vendors accountable for insecure methods, keeping in mind the custodial trust we have for the protection of user credentials and confidential data.

This was last published in March 2014

Dig Deeper on Password management and policy

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Using a strong password does help a lot even against the attack of cracking the stolen hashed passwords back to the original passwords. The problem is that few of us can firmly remember many such strong passwords.  We cannot run as fast and far as horses however strongly urged we may be. We are not built like horses. At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
Hashing can also be used as a message authenticator to validate that values, with or without encryption happening upon them, have not been tampered with. A piece describing this application, as well as another look at the differences between hashing and encryption is here: http://www.iri.com/blog/data-protection/hashing-tables-encryption/