What is Password Encryption and Why Is It Important for Businesses?
The new currency in the digital age is personally identifiable information (PII). Information about who we are, what we like, how we act, where we go and why we do things is a valuable resource which organizations use to sell to us more effectively.
Users rightly expect businesses to take proper care of this information, because in the wrong hands, it can be used to harm the user. For example, stolen information could be used to commit identity fraud against an individual, and misplaced credentials can be used to log into their accounts to steal financial assets.
The latter attack is known as account takeover (ATO) and cases have skyrocketed in recent years. ATO attacks exploit business logic by logging in using genuine username and password pairs. Sometimes these are stolen in full, or stolen passwords are encrypted but cracked over time. Other times criminals use brute force to try lists of common passwords. This is usually automated using bots to flood authentication services with login requests.
Account takeover hurts businesses and their customers
ATO has many negative outcomes for both businesses and their customers. Not only could the user lose access to their account and any associated credits or assets they have stored, but the business must spend time and resource repatriating the account to the customer and reimbursing the stolen assets.
This also harms the trust between the business and the customer, even though account takeover attacks are usually the fault of another company getting breached, plus the customer not practicing good password hygiene (e.g., re-using the same password across different services).
Despite this, businesses can still minimize the risk of ATO attacks by identifying suspicious traffic based on its behavior, origin or velocity of requests.
But there is another way businesses can help not just themselves but also other businesses from being vulnerable to ATO attacks: Through appropriate use of modern password encryption methods.
What is password encryption?
Password encryption is a cybersecurity component that uses mathematical algorithms to disguise a user’s password through ‘hashing’, a process which generates a ‘scrambled’ version of the password to disguise your true credentials while they sit within the server. This means that it can be safely stored and transferred without risk of being intercepted by hackers. Employing effective password encryption tools is highly important for business security.
Strong password encryption makes credential stuffing and ATO less viable
At Netacea we use the BLADE Framework® to break business logic attacks like ATO into stages consisting of tactics, techniques and sub-techniques.
While some attacks can go back and forward through the stages, in general every attack must ‘start at the start’. Understanding how these attacks work gives the opportunity to disrupt their ‘kill chain’ early and thwart the attack.
The first tactic of most attacks is resource development, and an essential technique at this stage for any ATO attacks is credential acquisition. This is the stage where the attacker obtains usernames and passwords, either partially or in full, to be used against their target.
Most commonly, attackers will buy leaked data from the dark web. This data is usually stolen by other attackers by infiltrating data sources using methods such as phishing, man-in-the-middle attacks or malware.
Properly encrypting sensitive data using effective password encryption tools benefits not only a business’s users, but also other businesses, because it makes credential stuffing and ATO attacks much harder for criminals to launch.
What is good and bad password encryption?
Encryption involves “hashing” the password, which means converting it into a string of characters, or a “hash”, using a key and an algorithm, generally within password encryption tools. The hash can be changed back to the password using the key. It’s good practice to ‘salt’ hashes, which is a method of preventing identical passwords from mapping to the same hash value.
The purpose of implementing password encryption methods is to prevent attackers from knowing what passwords are without access to the key, however technically any encryption can be ‘brute forced’ given enough time and compute resource.
Depending on the sophistication of different password encryption methods, the cost of a successful brute force attack is often not worth the outcome for criminals, depending on how much time and compute power is needed and how valuable the data is.
Anyone can visit haveibeenpwned.com to see which data leaks their email address has been exposed by. The site also gives details on each data breach, including when it was discovered, how many records were leaked, what kind of data was leaked, and whether passwords were encrypted, if so by which password encryption methods, and whether their hashes were salted.
This gives a good indication of whether the target company was acting irresponsibly with their users’ data, for example if the passwords were inadequately encrypted or unsalted.
Popular password encryption tools and their strengths
Here is a short list of examples of commonly used password encryption tools, although many more exist.
MD5 (Message-Digest Algorithm)
Historically popular, but because of a known collision attack allowing cracking to complete within seconds, MD5 isn’t deemed a secure password encryption method anymore.
SHA-1 (Secure Hash Algorithm)
No longer considered secure because it generates digital fingerprints that can be forged by hackers.
PBKDF2 (Password-Based Key Derivation Function)
A reasonably old method for making password cracking much more difficult.
BCRYPT
One of the most well-regarded password encryption tools, which uses a slow hash type, making it extremely computationally intensive to crack.
SCRYPT
A similar method to bcrypt, newer and requiring even more hardware to crack.
ARGON2
A secure key derivation function recommended by OWASP, with more flexibility than scrypt.
Which of these password encryption methods are you using to secure your passwords? Are you confident that, if your database was breached somehow, the information lost wouldn’t be easy pickings for ATO attackers?
Get ahead of attackers by getting more information about credential stuffing and account takeover.