I am sure than more than once you have used the same password for different websites. Imagine that one of those websites stores your password on their internal servers. You won’t have to squeeze your imagination for that as, unfortunately, that’s common practice. Now, imagine that those servers are attacked by a group of hackers who manage to get your password. The next thing those hackers will do is use your password to try to access your email account or any other websites you may have registered to and, in many cases, they will succeed.
You can stop imagining now, as that’s exactly what happened to Yahoo in reality a few weeks ago. In this case the stolen data was not obtained directly from Yahoo’s systems. Apparently, Yahoo realized that a number of their user IDs and passwords had been compromised, and after further research, it was discovered that the information had been obtained from a third-party database not linked to Yahoo.
Immediately, Yahoo reset the affected users’ passwords and used two-factor authentication for victims to re-secure their accounts.
In this case we are not talking about a company failing to secure its data but quite the opposite, and we should congratulate Yahoo for having been able to detect the attack and act swiftly to protect its users.
Unlike the Yahoo incident, an attack recently launched on Orange did affect one of the company’s websites. More specifically, the breached site was affected by a vulnerability that allowed the attackers to gain access to personal data from hundreds of thousands of customers, including names, mailing addresses and phone numbers.
Fortunately, it seems that Orange’s systems were configured in a way that prevented the customers’ passwords from being compromised, which limited the damage done to the more than 800,000 users affected by the attack. According to reports, the customers’ passwords and banking details were stored on a separate server which was not impacted by the breach
In any event, when it comes to protecting passwords from the eventuality of theft, the best policy is simply not to store them. If passwords are not stored, they can’t be stolen, can they? It sounds quite obvious, but not many people seem to apply this simple concept.
Now, the question is, if organizations don’t store users’ passwords, how can they validate users? Very simple. It would be enough to ‘salt’ the original password set by the user when signing up for the Web service, and apply a hash function to that ‘salted’ password. By salting the original password, what you actually do is generate a new, different password using a previously defined pattern (turn letters into numbers, change their order, etc). Next, the system applies the hash function to the alternate password and converts it into a complex string of symbols by means of an encryption algorithm. It is this ‘hashed’ form of the password which is stored in order to validate the user. From that moment on, every time the user types in a password, the system will apply the aforementioned pattern to it, calculate a hash value, and compare it to the hash stored in the password database. If they match, it means that the user has entered the correct password and access is permitted. As you can see, the entire process takes place without the need to store sensitive data such as passwords.
Another measure that should be implemented on a massive scale is the use of two-factor authentication. Even though it can be a pain at times, when applied, it makes compromising user accounts a lot more difficult. This is a system that financial institutions have been using for a long time, but which should also extend to other Web services as well.