30

After reading this article, I can see the benefits of password hashing as a second layer of defence, in the event of an intruder gaining access to a password database. What I still don't understand is this:

Isn't password hashing only important if the system is weak enough to give an intruder access to the password database? If so, then why is such an emphasis put on building secure password databases, instead of secure systems that would prevent unauthorized access to important user information? How is it that hashed password databases are so often stolen?

ANortonsmith
  • 419
  • 4
  • 4
  • 22
    Hashing isn't a second layer of defense its an insurance policy. Implement technology on the under the assumption that eventually the system will be compromised. If Sony, Blizzard, Dropbox, Apple are unable to keep their systems secure what makes you think you can? This is nothing against you, but if companies with near unlimited resources which primary business depends on their system being secured, can't protect their system you have no chance. So implement technolgy to prevent the damage when it happens. – Ramhound Aug 29 '13 at 12:38
  • @Ramhound IIRC Sony's case it wasn't a case of spending a lot of effort but still slipping up; but gross negligence caused by no one considering the possibility of getting hacked. As such I'm not sure they're a good example. – Dan Is Fiddling By Firelight Aug 29 '13 at 15:29
  • 3
    @DanNeely - The fact they didn't consider the possibility is exactly the reason I used them ( also the fact they are easy to remember ). I could move to Twitter, Linken, Gizmodo's parent company if you want more. The point of the statement, assume it will happen and do what you can, to prevent the family of bunnies that will be killed after it happens. – Ramhound Aug 29 '13 at 15:36
  • A further point: processors are nowadays so fast, and attack methods so sophisticated, that it's advisable to **not** use hashing to encrypt passwords. Why? Computing a hash is a very quick operation by design, because the original use case was to check for file integrity. For encrypting passwords, it's better to use an algorithm that'll take much more time to compute than a hash, but which is still quick enough when checking individual passwords. This will slow down brute-force attacks. [Bcrypt](http://goo.gl/T2g0yv) is one such algorithm. [See more here.](http://goo.gl/aiyPKQ) – Teemu Leisti Aug 29 '13 at 15:58
  • @Andy Actually, salting a password won't really effect the time it takes to brute-force. That is because if someone got the hash passwords, they could probably get the salt as well. – ponsfonze Aug 30 '13 at 12:37
  • @ponsfonze I'm sorry, but I think you need to read up on salting more. A salt isn't meant to be a secret at all, its assumed that someone that gets the hashes will get the salts as well. http://en.wikipedia.org/wiki/Salt_%28cryptography%29. The salts purpose is to defeat precomputed rainbow tables. – Andy Aug 30 '13 at 16:56
  • 2
    @ponsfonze If you are cracking one password you are correct - it does not speed up. However in case of massive cracking of whole database you need to crack each password separately. If they would be unsalted you could just hash "monkey" and get all users which have it as password. As they are salt you need to hash "monkey" with each unique salt. (Given that there might be thousands of passwords in database it means that there is much more work to do to process them). – Maciej Piechotka Aug 31 '13 at 13:31
  • 1
    It is incorrect to state that "old" hashing algorithms are fast and "new" ones are slow. Most hashing algorithms were never designed to be used for passwords and there are plenty of new ones that are completely unsuitable. It's off topic for this question, but basically make sure you do your homework and choose a hashing algorithm that is strong and trustworthy, or else your users will be at risk. – Abhi Beckert Sep 01 '13 at 03:12
  • @Andy actually newer hashes tend to be faster. [SHA-3](http://en.wikipedia.org/wiki/SHA-3) was specifically chosen *because* it's so fast *(well, and because it's so different from SHA-2..)* – BlueRaja - Danny Pflughoeft Sep 03 '13 at 20:32
  • @BlueRaja-DannyPflughoeft Yes, I had discovered I was wrong about that aspect. – Andy Sep 04 '13 at 12:26
  • @Andy Thank you for providing that link for me. I'm not sure where you are going with the purpose of a salt with my comment talking about computation time effects of hashing passwords with a salt. – ponsfonze Sep 05 '13 at 23:10
  • @MaciejPiechotka Thanks for bringing up the point where in the case of bruteforcing hashes in a whole unsalted databases, computational time will be reduced by not having to recompute the same hash for each password. However lets also keep in mind that 1000s or more passwords to crack may be insignificant in the future when processors become exponentially faster, or so some have forecasted. – ponsfonze Sep 05 '13 at 23:54
  • @ponsfonze: Still the salting make it 1000 times slower regardless of the technology used (or 1000000 for 1000000 users) - sure it makes less difference beetween 1s and 20 min then 1 day and 3 years but the first example used way too easy hash or passwords anyway. The improvements of processors can be combated by harder problems (memory hard algorithms etc.) – Maciej Piechotka Sep 06 '13 at 05:50

8 Answers8

36

If so, then why is such an emphasis put on building secure password databases, instead of secure systems that would prevent unauthorized access to important user information?

Because this is a really difficult thing to do. There is no way to guarantee that your system is 100% hack-proof. In fact, if you make such a claim on Reddit your site will probably be compromised within an hour.

There is a commonly used term in security called Defence-in-depth. A compromised password database does not only affect your application. Most people will use the same username and password combination for multiple websites. This makes it trivial for an attacker that has compromised a single password database to gain access to multiple services that a user uses. This is why you often see recommendations by websites that have been compromised for the user's to change their passwords on all their accounts.

Even if you only consider your application to be important, there are many things an attacker can do if he has the plaintext passwords of your users. It is difficult for an attacker to directly modify database values without detection. However, with a compromised plaintext password, he can simply log into a user account and make the changes. This is very difficult to detect.

Amory
  • 103
  • 6
  • 8
    The same reason when I rock climb I have a double anchor. Sure, a single clip might be rated to 27kN (enough to hold a Ford F150), but *if* it fails, I still have an insurance policy on my life with that second anchor. – xdumaine Aug 29 '13 at 13:05
34

Experience has taught the community that it's effectively impossible to keep intruders out. It is a question of when, not if, somebody will gain access to a your password database.

Doesn't matter whether you are a random blog or a multi-billion dollar government department, you need to assume that somebody will one day gain access. And quite often, they will have enough access to read the database but not enough access to, for example, insert a man-in-the-middle which grabs plaintext passwords as they're used to authenticate someone.

For example, they might not hack your primary server, they might only hack a server that contains backup copies of your database.

Also, most organisations have many employees. An employee doesn't need to hack your network to view the database, they might already have unfettered access (especially if they're an engineer or sysadmin). There are many reasons why it is a bad idea for your employees to know customer passwords.

Even if your website is completely worthless and it wouldn't matter if somebody hacks into it. The username and password used to log into your website is often exactly the same as the one used to log into other much more important services.

For example, somebody might write a bot that attempts to log into Apple's iTunes store with every username/password in your database, and if successful it starts purchasing things through the store. This attack might be successful for as many as 10% of the users in your database, and many of those users will never even notice they've been billed $4.99. This is not a theoretical attack, it happens all day long every day and attempts to stop it do not always succeed.

EDIT: And in the comments, @emory made another point I forgot: somebody might file a subpoena or use some other legal process to gain access to the database, allowing them to see plaintext passwords unless you have a good hash. Note it's not just law enforcement who can do this, any private lawyer with a strong legal case against you can get access to your database.

Abhi Beckert
  • 703
  • 1
  • 6
  • 11
  • 4
    +1 for the mention of the oft-forgotten attack vector of backups. – user Aug 29 '13 at 08:44
  • 7
    And +1 for insider attacks. An insider silently compromising non-repudiation can have disastrous long term effects and incredibly hard to detect! – Affe Aug 29 '13 at 15:21
  • 5
    The attacker could bypass technical means and just subpoena your database. – emory Aug 29 '13 at 16:07
18

Besides the already stated reasons there is another one:

A password is supposed to be private!

Having it in cleartext means that you or any of your fellow colleagues managing or developing have access to all passwords and you could impersonate any user. Now you're probably thinking - we would never do that, that is wrong!

Think of a bank system: the database administrators would all have access to passwords. This means that they could simply login into your account from anywhere and withdraw money. Would you put your money in such a bank knowing this? Even worse... many people use the same password in multiple locations. They could now login into the bank account and, with enough information in many other places.

Remember that many attacks are inside jobs - people with privileged information. Attackers don't come all from outside.

nsn
  • 726
  • 5
  • 8
6

There are a lot of ways a database with passwords can end up in unwanted hands. If the passwords are not securely hashed when this happens, the owner of the website is responsible and in much trouble, because often the users reuse their passwords on other sites as well. I would like to give you some examples of how a database can leak:

  • SQL injection is an easy attack against your website. I made a small demo to show how easy it is. Just click on the next-arrow to get malicious input. SQL injection can be dealt with by writing clean code, but often you use third party libraries or haven't developed the source code alone, in which case unsafe code could have slipped through.
  • If you are hosting your website with an external provider, at least the staff of the hosting company have free access to the database. Often other people have access as well: maybe you need a developer to fix a certain problem or to extend your page.
  • Backups are a problem too. If backups are not stored with the same care as the running server is secured, or if they are thrown away without erasing them properly, the passwords are leaking.
  • If a server is discarded, it must be cleaned before disposing it. In the case of external hosting, this is not under your control. Cleaning can be quite difficult on RAID systems.
  • More and more data is stored in cloud services. A handy thing, these clouds, but it is also cloudy where your database ends up, and properly cleaning in a cloud may even be impossible.
martinstoeckli
  • 5,149
  • 2
  • 27
  • 32
3

A principle in security is that there is no single bullet-proof mechanism but rather you should rely on multiple mechanisms to protect your system/data. In other words, defense in depth. So rather deciding between (a) securing the password database or (b) securing the system where it resides or is used, you should do both.

britlak
  • 49
  • 2
2

This blog post discusses this question. The summary is that you need password hashing as a second line of defence, when attackers achieve a partial, read-only break. This is a frequent consequence of SQL injection attacks, but also happen when a backup tape is stolen, or when an old disk is discarded. In particular, when a disk fails, the failure can be that of the electronic board, but the magnetic medium still contains all the data. If the disk does not start up, the sysadmin will not be able to (easily) wipe out the contents. But if the disk is simply thrown in a dumpster, an industrious attacker could retrieve it, replace the electronic board, and read all the data.

While it is better to not let attackers peek at your server's entrails in the first place, such breaches do occur in practice, and you'd better have some protection against it. See also this detailed answer for how password hashing should be done; the underlying idea being that in order to verify a user's password, the server MUST contain some password-dependent data, and a complete dump of the server's contents is then enough to "try passwords at home". Thus, password hashing is the best that can be done (theoretically), unless special-purpose tamper-resistant hardware is brought in the picture.

Community
  • 1
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • I'd actually take slight exception to the last point. I see what you mean, but anything the server process can do, in principle any software can do; it's mostly a matter of how much money and manpower the attacker wants to throw at the problem. Tamper-resistant hardware can go a long way to mitigate many threats, but it won't eliminate them completely. (That said, I did give you +1 for this.) – user Aug 29 '13 at 18:56
  • What I mean is that if the server uses a key to verify stored MAC values on user passwords, and that key is in a dedicated hardware (a HSM, a smart card) which uses the key but never reveals it, then the attacker who gets a complete copy of the disk still does not have the key, and won't be able to run an offline dictionary attack. Such hardware is _also_ tamper-resistant, but I agree that in this specific case the tamper resistance is irrelevant. – Tom Leek Aug 29 '13 at 19:13
  • One thing to add is that a "partial, read-only" break can turn into a "full" break or even a "root access" break if the attacker is able to obtain the password of a user with administrator privileges. If the admin re-uses that password anywhere, they could potentially gain SSH or FTP access, and even if they don't, there's a decent chance that somewhere in the web application's interface is a way for them to augment their foothold (shell upload, LFI, etc.). Making it difficult for them to determine admin passwords mitigates this greatly. – Anorov Aug 31 '13 at 20:09
0

msn above mentioned the need for in-house privacy; I'd add another reason based on this: you cannot completely trust everyone who has physical access to your database. Hashing protects the database against internal compromise as well as against external compromise.

Jack Aidley
  • 103
  • 3
0

One of the points which I don't think is mentioned in the answers here. I think the main reason for implementing password hashing is not to add an extra layer for attacks from outside, but to simply make them unreadable to those inside the network.
A lot of attacks come from within your trusted network. A pissed off developer or system admin shouldn't be able to read user's unhashed passwords, even if he has access to the database.

Munim
  • 101
  • 3