1

I recently saw the following message verbatim on an online application I use. The login is simply a login/password combination. There is no oauth, no two factor authentication, etc...

This sounds like bullshit to me, but I'm no security expert which is why I'm posting it here. Is this possibly true? If so, how would one go about securing their site this way?

To access our secure area, you must enter your Logon ID and Security Code. As a security precaution, we store your Security Code in our database in an encrypted format that even we cannot decode.

bigtunacan
  • 163
  • 1
  • 1
  • 5
  • Encryption (decryption) and encoding (decoding), two completely different things. – Jeroen Nov 12 '15 at 04:41
  • Read all about password storage [here](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords). – Neil Smithline Nov 12 '15 at 06:46
  • @Jeroen-ITNerdbox true, but as that sentence was taken from a website I would assume the marketing person who wrote it doesn't fully understand and is using the terms interchangeably. In the same vain that passwords are generally not _encrypted_ (reversible) but _hashed_ (non-reversible). – Hearth Nov 12 '15 at 23:12

1 Answers1

3

There are several possible ways for this to work, but the primary thing this relies on is them storing your password as a one-way hash. This prevents even them from reversing the hash to get your password, and your password is the key to the decryption.

During login, the password you enter is hashed using the same algorithm and compared to the stored hash, if they match then you must have entered the correct password. Thus, the server can authenticate you without ever needing to know your actual password.

Of course the practical success of this depends on the hashing algorithm used, and the length/complexity of your password.

Assuming you have a good password, and they have used a strong hashing algorithm, preferably using multiple iterations and salt (a random piece of data added to the password prior to hashing to ensure no two people using the same password will have the same hash) then nobody would be able to crack your password, and thence decrypt your data.

Hearth
  • 365
  • 1
  • 11
  • I think you mean `without ever needing to *store* your actual password` as the server does get a plain-text copy of your password during authentication. – Neil Smithline Nov 12 '15 at 06:49
  • @Hearth, ok, this seems to make sense. So in a web application I might have an environment random key that I use when encrypting user data; from this I am able to decrypt since I know the secret key. Here the password is the key. – bigtunacan Nov 12 '15 at 19:34
  • Essentially yes. Typically the key is derived from the password using an algorithm such as [PBKDF2](https://en.wikipedia.org/wiki/PBKDF2) – Hearth Nov 12 '15 at 23:03