LinkedIn was hit by a security breach earlier this month, resulting in 5.8 million unique passwords being posted online. If your small business is developing, or plans to develop, its own intranet portal, here are three tips – gleaned from the LinkedIn debacle – to protect user authentication and to improve your small business security.
Never Store the Original Passwords
Not storing passwords may sound like a no-brainer to most small business IT folks, but it's completely unintuitive to non-IT professionals. The correct way of storing passwords is to apply a one-way algorithm on it, storing only the resultant string, also known as a "hash." Authentication is done by taking the password keyed in by the user, applying the same hashing algorithm, and then comparing it with the previously stored string. A match indicates the same password, while a mismatch results in denied access; there is never a need to store the plaintext password.
Encrypt the Passwords Using a Modern Hash
Hashing algorithms are deliberately designed to be computationally expensive to reverse them back into their original plaintext passwords. While they generally work as advertised, you need to understand that not all hashing algorithms are created equal. Indeed, the programmer who originally wrote the md5crypt function (found on FreeBSD and Linux operating systems) recently penned a blog exhorting developers to stop using it. In a blog post, Poul-Henning Kamp cited how easily modern computer hardware can defeat the obsolete algorithm used in md5crypt. He wrote: "As the author of md5crypt, I implore everybody to migrate to a stronger password scrambler without undue delay."
Remember to Salt Your Hash
Finally, it should be noted that the LinkedIn passwords were actually encrypted by a relatively modern password hash called SHA-1. Unfortunately, LinkedIn failed to make use of a salt, which is a static value appended to each password prior to the application of the hashing algorithm. The use of a salt effectively defends against the use of rainbow tables, and is effectively mandatory to combat modern computers. A rainbow table is a large lookup table consisting of pre-computed hashes that can be matched with a stolen hash to quickly determine the origin password.
Though the emphasis has typically been on users to select better passwords, the LinkedIn debacle has shown that websites must also play their part to protect the credentials of their users. It is on this front that I hope these tips prove useful to novice programmers, or managers in charge of programmers or external vendors who are building a new IT system for the company.
Paul Mah covers technology for SMBs for Small Business Computing and for IT Business Edge. He also shares his passion for and knowledge of everything from networking to operating systems as an instructor at Republic Polytechnic in Singapore, and is a contributor to a number of tech sites, including Ars Technica and TechRepublic.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|