• Resources
  • Blogs
  • What is Password Encryption and Why Is It Important for Businesses?

What is Password Encryption and Why Is It Important for Businesses?

Alex McConnell
Alex McConnell
15/03/22
4 Minute read
passwords illustrate with hand

Article Contents

    The new currency in the digital age is personally identifiable information (PII). Information about who we are, what we like, how we act, where we go and why we do things is a valuable resource which organizations use to sell to us more effectively.

    Users rightly expect businesses to take proper care of this information, because in the wrong hands, it can be used to harm the user. For example, stolen information could be used to commit identity fraud against an individual, and misplaced credentials can be used to log into their accounts to steal financial assets.

    The latter attack is known as account takeover (ATO) and cases have skyrocketed in recent years. ATO attacks exploit business logic by logging in using genuine username and password pairs. Sometimes these are stolen in full, or stolen passwords are encrypted but cracked over time. Other times criminals use brute force to try lists of common passwords. This is usually automated using bots to flood authentication services with login requests.

    Account takeover hurts businesses and their customers

    ATO has many negative outcomes for both businesses and their customers. Not only could the user lose access to their account and any associated credits or assets they have stored, but the business must spend time and resource repatriating the account to the customer and reimbursing the stolen assets.

    This also harms the trust between the business and the customer, even though account takeover attacks are usually the fault of another company getting breached, plus the customer not practicing good password hygiene (e.g., re-using the same password across different services).

    Despite this, businesses can still minimize the risk of ATO attacks by identifying suspicious traffic based on its behavior, origin or velocity of requests.

    But there is another way businesses can help not just themselves but also other businesses from being vulnerable to ATO attacks: Through appropriate use of modern password encryption methods.

    What is password encryption?

    Password encryption is a cybersecurity component that uses mathematical algorithms to disguise a user’s password through ‘hashing’, a process which generates a ‘scrambled’ version of the password to disguise your true credentials while they sit within the server. This means that it can be safely stored and transferred without risk of being intercepted by hackers. Employing effective password encryption tools is highly important for business security.

    Strong password encryption makes credential stuffing and ATO less viable

    At Netacea we use the BLADE Framework® to break business logic attacks like ATO into stages consisting of tactics, techniques and sub-techniques.

    While some attacks can go back and forward through the stages, in general every attack must ‘start at the start’. Understanding how these attacks work gives the opportunity to disrupt their ‘kill chain’ early and thwart the attack.

    The credential stuffing kill chain as defined by the BLADE Framework
    The credential stuffing kill chain as defined by the BLADE Framework

    The first tactic of most attacks is resource development, and an essential technique at this stage for any ATO attacks is credential acquisition. This is the stage where the attacker obtains usernames and passwords, either partially or in full, to be used against their target.

    Most commonly, attackers will buy leaked data from the dark web. This data is usually stolen by other attackers by infiltrating data sources using methods such as phishing, man-in-the-middle attacks or malware.

    Properly encrypting sensitive data using effective password encryption tools benefits not only a business’s users, but also other businesses, because it makes credential stuffing and ATO attacks much harder for criminals to launch.

    What is good and bad password encryption?

    Encryption involves “hashing” the password, which means converting it into a string of characters, or a “hash”, using a key and an algorithm, generally within password encryption tools. The hash can be changed back to the password using the key. It’s good practice to ‘salt’ hashes, which is a method of preventing identical passwords from mapping to the same hash value.

    The purpose of implementing password encryption methods is to prevent attackers from knowing what passwords are without access to the key, however technically any encryption can be ‘brute forced’ given enough time and compute resource.

    Depending on the sophistication of different password encryption methods, the cost of a successful brute force attack is often not worth the outcome for criminals, depending on how much time and compute power is needed and how valuable the data is.

    Anyone can visit haveibeenpwned.com to see which data leaks their email address has been exposed by. The site also gives details on each data breach, including when it was discovered, how many records were leaked, what kind of data was leaked, and whether passwords were encrypted, if so by which password encryption methods, and whether their hashes were salted.

    This gives a good indication of whether the target company was acting irresponsibly with their users’ data, for example if the passwords were inadequately encrypted or unsalted.

    have we been pwned
    Details of which data leaks contained your email address, and how securely your data was being stored, can be found on haveibeenpwned.com

    Here is a short list of examples of commonly used password encryption tools, although many more exist.

    MD5 (Message-Digest Algorithm)

    Historically popular, but because of a known collision attack allowing cracking to complete within seconds, MD5 isn’t deemed a secure password encryption method anymore.

    SHA-1 (Secure Hash Algorithm)

    No longer considered secure because it generates digital fingerprints that can be forged by hackers.

    PBKDF2 (Password-Based Key Derivation Function)

    A reasonably old method for making password cracking much more difficult.

    BCRYPT

    One of the most well-regarded password encryption tools, which uses a slow hash type, making it extremely computationally intensive to crack.

    SCRYPT

    A similar method to bcrypt, newer and requiring even more hardware to crack.

    ARGON2

    A secure key derivation function recommended by OWASP, with more flexibility than scrypt.

    Which of these password encryption methods are you using to secure your passwords? Are you confident that, if your database was breached somehow, the information lost wouldn’t be easy pickings for ATO attackers?

    Get ahead of attackers by getting more information about credential stuffing and account takeover.

    Block Bots Effortlessly with Netacea

    Book a demo and see how Netacea autonomously prevents sophisticated automated attacks.
    Book

    Related Blogs

    Knight chess piece
    Blog
    Alex McConnell
    |
    04/06/24

    What is a Sophisticated Bot Attack?

    Learn about the growing sophistication of bot attacks. Find out how to improve defenses and detect these attacks effectively.
    Robot
    Blog
    Alex McConnell
    |
    28/05/24

    Offensive AI Lowers the Barrier of Entry for Bot Attackers

    Explore the impact of offensive AI and automated attacks. Discover how AI is changing the landscape of cybersecurity.
    Worker helmet
    Blog
    Alex McConnell
    |
    22/05/24

    What is Defensive AI and Why is it Essential in Bot Protection?

    Discover the potential of defensive AI in bot protection. Explore how machine learning can protect against automated attacks.

    Block Bots Effortlessly with Netacea

    Demo Netacea and see how our bot protection software autonomously prevents the most sophisticated and dynamic automated attacks across websites, apps and APIs.
    • Agentless, self managing spots up to 33x more threats
    • Automated, trusted defensive AI. Real-time detection and response
    • Invisible to attackers. Operates at the edge, deters persistent threats
    Book a Demo

    Address(Required)