If you are into authentication at all, there’s a good chance you’ve already heard about the LastPass data breach that occurred over this past weekend. There has been a bit of a mixed response regarding the potential breach and the announcements that have been made since, but it brings into focus a prime candidate for discussion that often gets overlooked: password encryption. Of course, encryption is nothing new: with the Internet of Things, and the recent government ‘scandals’ involving spying on personal information, more and more companies are touting the need for digital encryption. When it boils right down to it, password encryption is just the most recent pop up in the realm of cryptography; a realm that has been thriving for decades because of another commonly overlooked aspect in authentication: human nature.
If you’re at all interested in cryptography and how it relates to digital authentication (without getting into too much technobabble), check out the HackerAttacker article on Authentication Best Practices.
3. Password Encryption Matters
What is encryption?
That’s a pretty straightforward question, when you think about it. You either know what it is, or you don’t. Believe it or not; most people simply do not know what encryption is, or what password encryption even entails. Most people take this level of security for granted, making the assumption that if their password is strong enough, the security is simply an added bonus.
In today’s authentication world, that is no longer true. It is much safer, and indeed much more secure to operate under the assumption that your password will be stolen, but it may be difficult to read.
That is where encryption comes in.
Photo Courtesy of PCWorld.com
Believe it or not, HowStuffWorks has a pretty easy to digest description of encryption and how it works, so feel free to check it out if you need a detailed refresher. When it comes right down to it, encryption is a relatively simple process.
The best way to think of encryption, and password encryption by extension, is to think of a situation like what we see on the back of the Declaration of Independence in the Nicholas Cage film, National Treasure. Cage and crew find a cipher – each set of numbers refers to a page in a book and a letter in a specific line on that page. In modern password encryption, computers cut out the middleman.
That’s right. This Guy:
Photo Courtesy of Grouchoreviews.com and Walt Disney Pictures
The source text is fed through a substitution or transposition process – adjusting the source text to a calculated output text that looks like a jumbled, nonsensical mass of characters to someone without the proper key to switch it back.
That’s the basic concept. Now, with the evolution of computer technology and engineering, cryptography has been taken to new heights, with the possibilities of reducing large source texts down to much smaller text strings, called Hashes, that can only be reproduced with the exact same input. The best part: people don’t even have to be involved. No need to chase down the Silence Dogood letters for the next clue.
The reason that password encryption matters is illustrated in vivid detail by the LastPass data breach, if you think about it for longer than it takes to type up a scathing comment. In their own words, “Cracking our algorithms is extremely difficult, even for the strongest of computers.” They have good reason for thinking this as well; when you break down their encryption process to the bone, the total number of cryptographic operations that are run on a single password are upwards of 105,000. Those operations are run at various stages so that unless you know the exact number at each stage, with the appropriate input, salt, and hash function – it is unlikely that you will get very far.
If this password encryption process were not in place at all, the data breach would have yielded results of a much more devastating nature: the attackers would have been given access to master passwords directly, and would have been able to authenticate themselves directly to the user’s password vault – assuming the user did not enable two-factor authentication.
Password encryption will always matter because there will always be people who seek to delve deeply into your secrets.
Secrets are valuable; secrets are important.
2. The Type of Password Encryption Matters
Note how I said that LastPass puts the master password through a serious of over 105,000 cryptographic processes – that’s an extremely high number. This is in LastPass’s favor because not all encryption methods go through that many passes before settling on the final output. The higher the number of passes, the more difficult they are to undo in order to get back to the original input/password.
LastPass makes use of the PBKDF2-SHA256 hashing algorithm for their encryption method.
That sounds like a very long bunch of gibberish when you read it out loud, or even to yourself.
And yes, somebody is probably laughing at you for trying to say that phrase out loud.
Each of those aspects of the password encryption method have their own variations and permutations – SHA (the Secure Hash Algorithm designed by the NSA) has seven separate hash functions on its own, not including those encompassed by the outdated SHA-1 family.
Depending on the size of the value that you want to generate, and the computing power you have available to perform the cryptographic operations, each version of this family has various benefits for use. SHA-1, on the other hand, consists of a few recently discovered vulnerabilities that make it much weaker than it’s younger brother.
On top of that, we haven’t even mentioned the PBKDF2 function for LastPass’s password encryption method: a protocol developed and patented as a part of RSA laboratories’ Public-Key Cryptography Standards series – a group of fifteen different password encryption techniques. Admittedly, some of these functions are no longer active, as they have been upgraded or replaced by stronger methods.
The point? How your password encryption is done matters.
The more complex the encryption method, the more time you have to change the password to your crucial information before an attacker can crack the code. When you operate under the assumption that your logon information will eventually get taken, you prepare yourself for this outcome, and your response time is that much quicker.
That’s right: knowing how your password encryption is handled will improve your response time when faced with a breach. That’s important knowledge to have because more likely than not, your logon information will be exposed.
Just take a look at InformationWeek’s DarkReading website – they have their own attacks/breaches section that is constantly updating and changing to reflect the breaches of the age. It hasn’t slowed down, only sped up.
That brings me to my final point…
1. Your Password Still Matters
Go ahead and read that heading again, please. Don’t worry; I’ll still be here when you get back.
That is a serious observation that most people overlook – no matter what form of protection is used upon your chosen password, the strength of that key directly affects the ability with which attackers can break through the encryption.
Dictionary attacks are a common title used to illustrate an attack that uses common phrases and nouns to rapidly break down a matching password. If your password is too basic and can be guessed by a dictionary attack, you are weakening the very foundation of your security.
Until the day when we completely remove the password from our authentication security (and that day looks like it may still be a ways out), password encryption is going to be an integral part of keeping intruders away from your valuable information. Just like a soldier who crumbles before an army without a phalanx to back him, your password must remain strong to fend of the first waves of any attack, bolstering the defense of the encryption that, in turn, protects it.
Going to be difficult to get inside there
I’ve written about password strength before, and it is something that is constantly being debated, alongside password encryption. But people tend to forget just how important that factor truly is. Even in terms of two-factor authentication (another method of security that you can learn more about in our free Flexible 2FA Tech brief), a strong password is a must in order to create the best, most impenetrable defense possible.
Avi Kak has a series of lecture notes posted to the Purdue website that illustrate these dictionary and rainbow-table attacks in detail. The lecture is called The Dictionary Attack and the Rainbow-Table Attack on Password Protected Systems. While that is a mouthful, the lecture notes illustrate a significant amount of detailed information supporting the importance of password strength. One of the big takeaways from the notes for me focused on the relationship between password length/complexity and the size of the tables in question. The longer and more complex your password, the greater the size of the table, and the longer it takes an attacker to get through your various layers of defense. When it comes to passwords, longer is always better.
Of course, the fact that there was a LastPass data breach for us to even discuss is cause for concern for a lot of users. It definitely brings password encryption into a new light, and that might be a light that not everyone understands. If you dig deeper, however, you can see that the LastPass data breach is not an instance of under-preparation, or even weak security – but a product of an age where data breaches are at an all-time high and even our highest ranking security companies are not without risk.
Knowledge is one of the best defenses out there. The LastPass data breach taught me the importance of password encryption and cryptography in an age where any information truly is power. Know where you stand with your security, and make sure you have the appropriate level of password encryption for your needs – any bit of data, no matter how small, is worth a fortune in the right hands.