Hashed but Not Salted

May 20, 2016 / in Blog, Encryption/Security / by Zafar Khan, RPost CEO

You may remember the 2012 LinkedIn data breach, in which 6.5 million LinkedIn user accounts were believed to have been compromised. According to BBC and LinkedIn itself, the number of affected LinkedIn users from that 2012 data breach could actually be upwards of 100 million, or the majority of the 165 million users LinkedIn had in 2012.

The shocking enormity of this data breach is attracting many security analysts to scrutinize the breach itself. One security expert explained that the LinkedIn problem “stemmed from the fact that LinkedIn had originally ‘hashed’ its passwords but not ‘salted’ them before storing them.”

“Hashed but not salted.”

To most, it sounds like a fried corned beef and potato breakfast dish, hold the salt.

But to information security professionals, “hashing and salting” refers to a best practice among cryptographers.

For the curious, hashing in cryptography is the passing of data through a one-way formula that transforms the original data (i.e. a password, document, email message) into a string of characters that is representative of the original data. If you pass the same data through the formula, you always get the same string of characters (the hash). You cannot take the hash and re-create the data (in reverse) as it is a one-way formula. There are commonly used formulas called Secure Hash Algorithms; this family of cryptographic hash functions has been published by the National Institute of Standards and Technology (NIST) as a U.S. Federal Information Processing Standard (FIPS).

Because these “formulas” are published and commonly used in cryptography, it is common to “salt” the data passed into the “hash” formula.  In the example of salting a password and hashing, one would for example, add a private phrase (the salt) to the end of each password and then pass that password plus phrase combination into the hash formula. This added data makes the output hash unique to the system versus unique to the hash formula. The primary function of salts is to prevent the use of brute force methods to figure out the original information associated with a hash generated using published hash algorithms.

Why is this important?

Hashes with E-Signatures: When it comes to electronic signatures for example, according to ESIGN law, a sound, symbol, or mark, made with intent to sign, is a legal electronic signature. The challenge is then not so much in obtaining a legal electronic signature, but controlling the process so that you receive a record of signoff that can serve as strong evidence if the notion of who agreed to what when is challenged in the future. Services that hash the record of signoff, along with forensic transmission and time stamp data, can elevate the strength of the evidence significantly.

What does this mean? Look for e-signature services that control the process, return strong evidence, and use hashes, for example, to render the record of signoff authenticatable. Services like RMail and RSign make this easy.

Hashes for Privacy: LinkedIn suffered a login and password breach four years ago. A hacker is now selling a group of over 100 million LinkedIn logins in the hacking community. LinkedIn is a savvy technology organization, yet they still failed (at least 4 years ago) to accurately enforce use of best practices for security among their technology team. Because the passwords were not salted before hashing, the hacker was presumably able to program a brute force method to figure out the original password that generated each stored hash.

Know more: How To Send Encrypted Email?

What does this mean? A breach in the past can resurface to haunt users and the victimized company or companies. You should consider using companies that have properly implemented best practices (such as salting data to create a unique hash) to secure your information or to be able to irrefutably verify authenticity of digital data. Further, remember that access to your social media accounts may seem trivial, but these are often the gateways to your personal information or network of trusted relationships that permit sophisticated hackers to conduct BEC imposter email scams to siphon off your money.