Basics of Password Storage
Authentication has long been needed to verify whether an individual should have access to a particular resource. From basic door keys to ensure people can only enter areas they are allowed to, to complex codes to decrypt military communications, authentication is a key part of our day to day lives.
Online, we use authentication to grant access to privileged parts of an application. The most common type of authentication is a username and password.
Basics of Password Storage
Passwords can be stored in various ways which have varying levels of security:
Using this method, a users password is stored in a database exactly as they enter it on a website. For example, the Password “Password1” would be stored as “Password1”. The clear disadvantage of this method is that anyone with access to the database can easily read the password and reuse it as they wish. No web application should use this method under any circumstance and if you suspect one of the services you use stores passwords in this method you should delete your account. An easy way to tell if a service stores your password like this is if they are able to send your password to you in an email when you use their “Forgot Password” function.
Some websites encrypt user passwords to ensure that they cannot easily be read and reused. This involves putting a password through an encryption function which outputs something completely different and this is stored in the database. A decryption function is then used to return the original password when needed.
As an example, a simple encryption function would change a number by adding 2 to each digit. So a password entered as “12345” would become “34567” and that is what the system would store. When decrypting this password we would simply deduct 2 from each digit giving us the original number.
This system is far more secure than storing plain text passwords as passwords cannot simply be read and reused. However, anyone who knows the encryption algorithm can easily decrypt the passwords.
Hashing is a way of mathematically mapping data of any size to a bit string of a fixed size. That may sound confusing but it essentially means that passwords stored in systems that use hashing are subjected to a bit of math that changes them to a ‘word’ of a pre-determined length. In contrast to encryption, the stored password cannot then be returned to its original form.
For example, if a user enters a password “Password1” to the system, some math would occur and the system would store the password as “k23jccskjfowe8923jrn”. This password cannot be reversed to its original form. When a user tries to log in to a website, the password they enter would need to be hashed again and the product compared to what is stored to determine if they match.
This is the best way to store passwords as there is no way for someone to reverse the stored passwords to their original form. The only way to break the password is to manually enter words into the hashing function and check whether the output matches the input. For complex passwords, this would take so long as to be impractical for most attackers.
What has BB done to improve Password Storage on CMS
In our latest update to the Barking Bird CMS, we made a big change to the way we store passwords. Whilst we have always hashed passwords, we have now upgraded the hashing algorithm (bit of math) used to hash the passwords. The result of this is passwords stored on our new system should be roughly 100 million times harder to crack (based on generic benchmarks) than they were previously.
This update will be immediately available on all new websites running our CMS and can be retroactively added to existing websites.