This year hasn't been great for information safety, to put it lightly — 2019 is on track to become the worst year for data breaches on record. And it's no wonder why. Reports about serious security weaknesses in some of the biggest tech companies worldwide are coming out every other week.
In this year alone, two tech giants admitted to major security flaws in their systems. Facebook admitted that it stored millions of Instagram users' passwords in plain text. A few months later, Google revealed the same about their G Suite users. But why is it such a big deal to keep passwords in plain text? And how are they supposed to be stored?
If passwords are kept in plain text, anyone with internal access can see them. Not to mention that if the database gets breached, hackers would also see the credentials in plain view. So any company that follows at least basic security practices will never actually keep your passwords in its database.
Instead, when you're logging into your account, your password is converted into a complicated string of characters using password hashing algorithms. Then, the hashed password is compared to other hashes in the company's database. If the password hash matches, you're granted access to your account.
But how does hashing work exactly? Hashing is a one-way function to scramble data — it takes readable text and transforms it into a completely different string of characters with a set length.
However, unlike other encryption algorithms that transform data, hashing is nearly impossible to revert. So if hackers get a hold of a database with hashed passwords, hash decoding is a futile task. Nonetheless, there are other ways for cybercriminals to find out the original password.
Cracking the Hash
The biggest problem with password hashing is that if you run a specific word like 'green' through a hashing algorithm, the hashed outcome for that word will always be the same. So let's say cybercriminals get a hold of a database with hashed passwords. No one's stopping them from guessing millions of passwords and running them through the same algorithm to see what the hash for a specific word looks like.
Now, hackers don't just use brute force (by trying to guess all possible password combinations). They base it on what is known as 'dictionary attacks' — using common words and likely combinations like 'password123'. Now hackers can use 'rainbow tables' — precomputed hash databases for the most common passwords.
Strong Versus Weak Hash
That's why there are different types of hashing. For example, hashing algorithms like SHA1 and MD5 are widely considered to be outdated and not so difficult to crack. Now, hash functions like bcrypt, SHA2, and Argon2 don't just hash a password once. They do it thousands of times to ensure you can't trace it back to the original password. That's why NordPass uses bcrypt to hash credentials when you're logging in — it's one of the safest hashing functions out there.
To make the hashing process even more secure, there's seasoning, or more precisely ‘salts’ and ‘peppers’. ‘Salts’ mean that a few random characters, not even known to you, are added to your password, and they're run through a hashing function. A 'pepper' works similarly, but the password and the 'pepper' run through the function together.
Limitations of Hash Functions
There are a few limitations for hash functions, such as hash collisions. It's when two different inputs have the same hash outcome. However, the probability of a collision in most hashing algorithms is exceedingly low, especially in modern functions, so it shouldn't be a big worry.
In conclusion, you can't always tell how strong the function used by your service provider is, so be sure to use strong passwords. You can generate a secure password with the NordPass password generator. Yet, as the Google and Facebook cases show, sometimes your credentials are out in the open in plain text, so be sure to never duplicate your passwords as well. We understand that remembering all those passwords is nearly impossible, so you can always use NordPass password manager.