While it doesn't make sense to hash ALL of the data for a customer, some pieces of data can often times be stored in a completely hashed format or at least partially hashed format. Some examples might include your password or social security number.
What is a hash you ask?
A hash is nothing more than an algorithm that accepts an input (usually in the form of a file or string) and provides an output result in the form of a series of numbers and letters. One of the more popular hashing algorithms available is called MD5.
How does one hash a password?
Depending on whether you're doing hashing within a piece of software or just manually at home, you might make use of the encryption libraries from Microsoft's Enterprise Libraries, or you might just open up the terminal (for you Mac users out there) and type the following:
Macintosh:~ chris$ md5 -s "MyPassword"Can't a thief simply figure out the password from the hash?
MD5 ("MyPassword") = 48503dfd58720bd5ff35c102065a52d7
Nope! That's the beauty of hashes. Think of them as one way trains. Once you get on the train and reach your destination. There's no way to return home. Now if you somehow manage to make your way back to your point of origination, you can certainly hop on the same train and you'll reach the exact same destination again guaranteed. This is the basis for how authentication works for your average commercial website.
During the enrollment / registration period when you usually pick your username and password, if the website was properly designed and security was not ignored, the moment you push "register", the site will check to make sure the username doesn't already exist. Once this pass is confirmed, your plain text password will be passed off to something like an MD5 hash function which will then spit out the resulting hash. It is this resulting hash that is then stored in the database table alongside your username. Each and every future time you log in again, your password gets passed through the same hashing function and is then compared to the hash stored in the database. Assuming the hashes match, voila, you're allowed to enter!
How is it then that I can tell a site that I forgot my password and they will email it to me?
That is your first sign that the site you are signed up with stores passwords insecurely. If the password is hashed, the company storing your data can't figure out your password. This is where the password reset page comes into play, often accompanied by multi factor authentication (MFA) questions, such as "What was the name of your first pet dog?".
It boggles the mind that so many large corporations have failed and still continue to fail implementing some of the most basic features of data security. Should you ever be in a position to help enforce data security practices, please please please remember to ask whether sensitive data that doesn't need to be retrieved is being stored in its hashed state.
Cheers,
Chris
0 comments:
Post a Comment