(Ping! Zine Web Hosting Magazine) – Datarealm, a leading provider of cloud, virtual private server, and dedicated server hosting, has commented to highlight the importance of following best practices when hashing and salting passwords.
The company, a hosting provider for hundreds of web services that rely on passwords for authentication, has highlighted the recent security breach at the LastPass password management service and the way in which proper hashing and salting of passwords helped keep users safe even though hashed master passwords were leaked.
As reported by Dan Goodin in Ars Technica on June 15, LastPass suffered a network breach that allowed attackers to gain access to hashed passwords, salts, and other sensitive information. Users of LastPass are at little risk, because LastPass uses salted hashes and repeated rounds of hashing with slow hashing algorithms. It is highly unlikely that the attackers will be able to reverse the hashes because of the slow algorithms used: the resource requirements would be extreme.
Unfortunately, the use of slow hashing algorithms is not yet an industry standard. Many sites and services employ very fast hashing algorithms like SHA1, which are trivially easy to reverse given the technology available to online criminals.
“If you run an Internet-facing service, the safe bet is that eventually you will be the victim of a security breach. It is as important to ensure that leaked data is useless to attackers as it is to invest in external network protections like firewalls,” advised Andrew Auderieth, CEO of Datarealm, “Secure hashing with salts using slow hashing algorithms will significantly degrade the ability of online criminals to leverage stolen data for identity theft and other malicious purposes.”
Slow hashing algorithms like the PBKDF2-SHA256 employed by LastPass are computationally intensive and consume more resources than faster algorithms, but the security benefits are considerable. It is embarrassing for companies to suffer data loss, but the damage to a business’s reputation can be substantially mitigated if it can assure users that it invested in the technology to keep them safe.
Founded in 1995, Datarealm was one of the first Web hosting companies in the world. Datarealm has maintained its position as a trusted industry leader by continuously investing in cutting-edge web technologies and a commitment to extraordinary customer service. Datarealm’s current web hosting products include an advanced secure cloud hosting platform, dedicated servers, virtual private servers, and shared hosting. For more information, visit http://www.datarealm.com/