Security Interlude: The real-world difference between Hashing and Encryption

Last week we learned about the other half of the encryption/hashing relationship. Hopefully you remember the cake/safe deposit box analogy that we’ve been exploring from this StackOverflow answer.

The cake vs safe deposit box analogy really is excellent. Hashing is a one-way process (you can’t unmix the ingredients in a cake), and encryption is more of a lock-and-key approach (you CAN remove the contents of your safe deposit box). There is a very important difference between these: if you ever, EVER store your users passwords as encrypted strings, there is always a possibility for your users plain-text passwords to be retrieved by a hacker. With hash, a hacker may be able to reset your users’ passwords to something they know, thus gaining access to your users accounts — but they won’t be able to retrieve your users’ passwords.

Why should this make a difference? The hacker has already gained access to the bank account… is retrieval really such a bad thing, once the damage has already been done?

OH MY GOD YES, retrieval is at least ten times worse than simple hacking. Sure, it sucks if a hacker gains access to your bank account. But if they get your password, they have access to every account that you’ve used that password on. Email? Tick. And if you’re using a cloud-based email system like Gmail or Hotmail, that means they can likely gain access to everything. This is what happened when the LinkedIn passwords were stolen – at least 6.4 million people suddenly really needed to make sure that their LinkedIn password wasn’t the same as any other password they used.

So, user passwords should always be hashed – because a hash is a one-way street, this means that the hackers will never be able to translate the stolen hash to a plain-text password. Right? Right??

… Unfortunately, no. Even the one-way hash is not a secure method of storing a password. Come back next week, and we’ll explain how rainbows, tables, and hashed strings come together to reveal your carefully hashed password in its’ plain-text form.

———————————————————————————-

This post forms one part of our Security series. You can find links to the other editions here:

Security 101: What is Encryption?
Security 102: What is Hashing?
Security Interlude: The real-world difference between Hashing and Encryption
Security 103: Rainbow Tables
Security 104: Improper Password Storage
Security 105: Seasonings (or Salts and Peppers)
Security 106: The Importance of Key Stretching
Security 107: The Hashing Algorithm, and why Bcrypt is your best friend
Security 108: The Other Stuff

———————————————————————————-