As we all know, the purpose of a password is above all to remain known to a person or a group of persons. Its disclosure then leads to the complete loss of its effectiveness and safety. When the password becomes known to a third party, the latter may, for example, appropriate rights over an application and compromise its normal operation. A password is extremely sensitive and coveted by hackers, regardless of the application that uses it.
What is a password?
Metaphorically, a password can be perceived as a critical opening door(s) to the one who holds it. Thus, this user appropriates additional rights that other people do not have. It is then up to him not to disclose it so that an evil third party does not misappropriate the privileges conferred on him.
When one / several passwords must be saved in an information system (database, configuration files…), it becomes more complicated. Indeed, security is only for one person but now depends on the security of the information system itself (physical access, identifiers to connect to it) as well as on the way these passwords are stored in the IS.
Password security in an information system
It is evident that increased password protection in the information system must be put in place. The storage of passwords in clear text in the information system then becomes impossible. Why? Why? Let us take the typical case of a database in which are stored the identifiers of the users of an extranet of a company. This implies that there is a security policy with several levels of rights.
A technician will not have the same privileges on the application as his superior. The latter will also not have the same rights as the Director of Human Resources or the CEO. In this type of application, the password is the guarantor of data security. We must, therefore, protect it assiduously. Encryption then becomes indispensable.
Why encrypt sensitive data?
The answer is simple. This is to keep confidential the password that has been assigned to the user outside of the application. There is also a part of deontology insofar as even the person in charge of the application should not have to know the personal identifiers of the users. It’s none of his business. Let us return to our example.
Extranet also means access to the application from the Internet. The data must then be encrypted via a secure HTTPS connection and the application protected against possible hacker access. Let us suppose that this extranet was poorly written and that it contains a SQL injection flaw. A hacker could then retrieve the passwords stored in the database and enter the application without any problem with the CEO’s credentials. If passwords are encrypted, it will be much harder for the hacker to retrieve their plaintext match. In this example, the attack comes from the outside but what if the weakness of the system is inside?
Indeed, let us suppose that it is necessary to maintain the database by connecting directly to it. The company that edited the application sends its database administrator into intervention. This technician intervenes on the spot but is not at all part of the company which uses the application. She’s going to manipulate the database. That is, she will most likely be able to see everything inside… including the login credentials. If the passwords had been recorded in plain text, he could have appropriated the accesses of any user on the extranet application… Nevertheless, nothing prevents him from creating a new user with all the rights directly in the database. We will, therefore, see later that traditional encryption is not enough to strengthen the security of a password.
Encryption methods
There are many of them. This can range from encryption algorithms (which can be decrypted with the appropriate algorithm and key) to hash algorithms. It is the latter that we tend to use today. Indeed, a hash algorithm can encrypt a string without the possibility of reverse operation. The hash result usually produces a single, fixed-length string. This is the case, for example, with MD5 and SHA1 algorithms. Thus, during an authentication phase, two passwords are no longer compared in plain text but two hashes of the password.