Recent reports claim that a hacker got hold of just over 80 million data records from video sharing site Daily Motion.
Apparently, a list of 80 million usernames and email addresses was stolen, with password hashes included for just under 20 million of the accounts.
ZDNet claims that it checked the password hash from of one of the stolen accounts against the bcrypt hash of the account’s actual password, which was known, and got a match.
This strongly suggests that the Daily Motion was storing its passwords in a robust way, using a recognised salt-hash-stretch technique to make cracking attacks harder.
The idea of salt-hash-stretch password storage algorithms like PBKDF2, bcrypt and scrypt is that validating a single password at login time is not so slow that users get annoyed, yet not so fast that crooks who steal the database can try billions or trillions of passwords per second.
LEARN MORE: Salting, hashing and stretching – how to do it ►
Remember: the better the password you choose, the longer it will last against crackers if the password database gets stolen.
This, in turn, gives you more time to change your password in the event of a breach: if you change it before the crooks figure out your old password, you win.
In a recent breach story at porn site xHamster, password hashes were apparently calculated using just a single iteration of the MD5 algorithm.
Some stories about the xHamster breach focused on the overall unsuitability of MD5 as a cryptographic hash, but that wasn’t why xHamster passwords were easily cracked.
The bigger issue in that case was that a single iteration of MD5 or any comparable hashing algorithm, including SHA-1 and SHA-256, can be performed so quickly on modern hardware that crooks can churn through truly enormous password dictionaries in days or weeks.
If you assume that a typical bcrypt password hash verification takes 10,000 times longer than a single traditional hash computation, then a MD5-hashed password weak enough to be cracked in 10 seconds would take a whole day, while a password that could withstand an hour of MD5 would last a year with bcrypt.
What to do?
For what it’s worth, our recommendation for password hashing [as updated in June 2016] is to use PBKDF2 with at least 20,000 iterations of the HMAC-SHA-256 hashing algorithm.
Don’t worry if that doesn’t make sense to you explained in those terms: what matters is that a SHA-256 hash takes approximately 60% longer to compute than an MD5 and the HMAC hashing system requires two SHA-256es per iteration of the PBKDF2 scheme, for a total speed at least 50,000 times slower than a plain MD5.
And you only really need enough time to change your password before the crooks figure it out.
Of course, secure password storage is supposed to be a second layer of security just in case your password database gets stolen…
…not an excuse for poor database security in the first place!