SecureWorld News

Password Encryption 101: Best Practices Guide for Orgs of All Sizes

Written by Alex Vakulov | Mon | Apr 24, 2023 | 7:57 PM Z

As the frequency of data breaches surges, it becomes increasingly imperative to guarantee the security and adequate encryption of passwords. In this article, I will provide an overview of password encryption, explaining its essence and modus operandi. Additionally, I will examine the best practices for incorporating password encryption within your organization.

What is password encryption?

Password encryption is the process of converting a password into a scrambled, unreadable form (also known as "hashing") so that it can be securely stored and transmitted. When a user tries to access a service, the system compares the password they enter to the encrypted version it holds. Access is granted only if the two match.

Why is password encryption necessary?

When attackers gain entry to a database of unencrypted passwords, they can read and exploit them for unauthorized account access. With encrypted passwords, however, bad actors can not read passwords, making it much harder to gain unauthorized access.

In addition to protecting individual accounts, password encryption is also essential for protecting the reputation of an organization. If an organization's password database is compromised and unencrypted passwords are exposed, it can lead to a loss of customer trust and damage to the organization's reputation.

While it may be tempting to skip encryption in order to save time or resources, the risks of doing so far outweigh any potential benefits. There are no situations in which it is acceptable not to encrypt passwords. Passwords are a critical part of an organization's security infrastructure, and ensuring they are properly encrypted is always essential.

How does password encryption work?

Encrypting passwords can be achieved through various methods, the most popular being hashing. The process of hashing entails passing the password through a mathematical algorithm (known as a "hash function"), which generates a unique hash of the password with a fixed length.
The hash function operates as a one-way process, which implies that it is impossible to reverse the process and obtain the original password from the hash. This aspect is important because even if attackers successfully infiltrate a database of hashed passwords, they cannot identify the original passwords.

In addition to hashing, many systems also use a process called "salting" to enhance the security of password encryption further. Salting involves adding a random string of characters (the "salt") to the password before it is hashed. This helps to prevent cybercrooks from using pre-computed tables of hash values (also known as "rainbow tables") to quickly crack hashed passwords.

How do hackers steal and crack encrypted passwords?

If you approach the issue of password encryption carelessly, you can get to the point where hackers steal and decrypt passwords. Here is how it can happen:

  • Pre-computed hash tables
    Pre-computed hash tables (rainbow tables) are pre-calculated lists of hash values for common passwords. Hackers can use these tables to crack hashed passwords by comparing the hash value of the password they are trying to crack to the list of hash values in the table. To protect against this type of attack, it is vital to use a solid hashing function and to implement salting.
  • Physical attacks
    In some cases, cybercrooks may try to physically access a device or system in order to steal passwords or other sensitive information. To protect against physical attacks, it is essential to implement strong security measures, such as locking up devices and using encryption to protect the stored data. Deploying video surveillance can also help here.
  • Malware
    Certain types of malicious software are designed to steal passwords or attempt to crack passwords. Keeping software and operating systems up to date, using security software, and being careful when opening email attachments or clicking links can help avoid malware.
Best practices for implementing password encryption

To ensure proper implementation of password encryption, there exist several best practices that organizations can adopt:

  • Implement robust and secure hashing algorithms like SHA-2, bcrypt, and PBKDF2.
  • Employ salting to strengthen password encryption by adding a random string of characters to the password before hashing.
  • Use unique salts for each password. Using the same salt for all passwords can make it easier for attackers to breach the system.
Recommended encryption algorithms

The selection of password encryption algorithms hinges on an organization's specific requirements and needs. Commonly utilized algorithms for password encryption are:

  • SHA-2
    SHA-2 is a family of hash functions widely employed for password encryption and other security applications due to their high level of security. They are regarded as superior to their predecessor, SHA-1, in terms of strength.
  • Bcrypt
    Bcrypt is a key derivation function purposely developed for password encryption, utilizing a sturdy, adaptable hashing algorithm that fortifies it against brute-force attacks.
  • PBKDF2
    The Password-Based Key Derivation Function 2 is another prevalent key derivation function used for password encryption. It is intentionally created to be computationally intensive, which renders it resistant to brute-force attacks.
  • Argon2
    Argon2 is a password hashing function explicitly constructed to resist both brute-force attacks and pre-computed hash table attacks. It has been acknowledged in various independent evaluations and contests as the most secure password hashing function available.

Factors to consider when choosing a password encryption algorithm

When choosing a secure algorithm, it is important to evaluate its speed and efficiency, as this can affect the user experience and the resources required for implementation.

Ensuring the crypto algorithm is compatible with the systems and applications that will utilize it is also vital. This encompasses various factors, including the programming language, hardware requirements, and other technical considerations.

Please mind that depending on the industry and location of an organization, there may be specific standards and regulations that must be followed when it comes to password encryption. Choosing an algorithm that fulfills these requirements is crucial to guarantee compliance.

Guidelines to follow when implementing salting correctly

The salt should be added to the password before it is hashed, as this helps to prevent attackers from using rainbow tables. Sometimes it is appropriate to store the salt value in a separate location from the hashed password. Make sure you properly protect the databases where you store hashes and salts.

Again, it is strongly recommended to generate a unique salt for each password. This can be achieved by using a random number generator. Consider using a multi-step salting process, where multiple layers of salting are applied to the password before hashing. Consider periodically updating the salt for each password.

How to protect password databases

Although it sounds trite, you need to use complex passwords to protect your password database. In addition, implementing multi-factor authentication (MFA) can significantly enhance the security of the password database.

Monitor and audit access to the password database to ensure only authorized individuals can access it. This can be achieved by implementing role-based access control (RBAC), where access to different parts of the database is granted based on an individual's role and responsibilities.

Use logging and auditing tools to track access to the database and any changes made to it. Regularly review the logs and audit reports to identify suspicious activity and take appropriate action.

Firewalls and Intrusion Detection Systems (IDS) can also help protect the database from external threats. Finally, implement a database disaster recovery plan.

Conclusion

Password encryption is a fundamental aspect of safeguarding sensitive data and preventing unauthorized access. Organizations can considerably lower the risk of passwords being stolen or compromised by adhering to best practices and implementing robust password management policies.

Do not forget that security is a process. This is especially true when it comes to password security, as hackers are constantly developing new tactics and technologies. Keep up with the latest threats and implement the necessary security measures to keep attackers at bay.