28 Feb, 2023

Insecure Passwords Storage

Vulnerability Assessment as a Service (VAaaS)

Tests systems and applications for vulnerabilities to address weaknesses.

What is password storage and how it looks like?

Password storage refers to the process of securely storing passwords, which are used to authenticate users in various systems, applications, and websites. Passwords are usually stored in a hashed form, which means that the original password is transformed into a fixed-length string of characters using a mathematical algorithm.

The hashed password is then stored in a database or file on a server. When a user tries to log in, the password they enter is hashed using the same algorithm, and the resulting hash is compared to the stored hash. If they match, the user is authenticated and allowed to access the system.

Password storage can look different depending on the specific system or application. In general, the hashed passwords are stored in a secure and encrypted manner, such as in a database that is protected by strong access controls and encryption measures. The password database may also be regularly backed up to ensure that passwords are not lost in the event of a system failure.

It’s worth noting that password storage is just one aspect of password security.

Hashed passwords generation using commonly used hashing algorithms

When a user creates an account on a website or service, the password they choose is typically transformed into a “hash” value using a cryptographic hashing algorithm. This hash value is a fixed-length string of characters that is unique to the password, but does not reveal the original password itself. The hash function is a one-way process, meaning it is not possible to convert the hash value back into the original password.

The MD5 hashing algorithm generates a 128-bit hash value. 

Password: “mypassword”

Hashed Password: “1bc29b36f623ba82aaf6724fd3b16718”

The SHA-1 hashing algorithm generates a 160-bit hash value. 

Password: “mypassword”

Hashed Password: “c2e5f29acc2b0e4e982fc51ed4e71a6d0b046db4”

The SHA-256 hashing algorithm generates a 256-bit hash value. 

Password: “mypassword”

Hashed Password: “aae1c8b3086a958a6d043883ba37f31e876f16c63d78a1b3c6d0b9e633a6a814”

Bcrypt is a popular password hashing function that uses a salted hashing algorithm. 

Password: “mypassword”

Hashed Password: “$2a$10$E8zZOnx9xPNktRo5K5Y5ieMQz5rI0wUM7fDOiRdRwpH9Xbca1Lp3q”

The hash value is then stored in a database on the website’s server, along with other user account information. When a user attempts to log in to their account, the password they enter is hashed using the same algorithm and compared to the stored hash value. If the two hashes match, the user is granted access to their account.

To prevent attackers from accessing user passwords, it is important to use a strong hashing algorithm, such as SHA-256 or bcrypt, and to add additional layers of security, such as salting the password before hashing it. Salting is the process of adding a random string of characters to the password before hashing it, which makes it more difficult for attackers to use precomputed hash tables or rainbow tables to crack the password.

Password storage types

There are different types of password storage methods available to store and manage passwords. Here are some common types:

Browser Password Storage: Most web browsers have built-in password storage features that can store and autofill login information for websites. While convenient, browser password storage may not be the most secure option, as the passwords may be vulnerable to hacking or unauthorized access.

Password Managers: Password managers are software applications designed to securely store and manage passwords for multiple accounts. They encrypt your passwords and store them in a secure vault, which can only be accessed with a master password. Some popular password managers include LastPass, Dashlane, and 1Password.

Physical Password Storage: Physical password storage methods include writing passwords on paper or storing them on a USB drive or other external storage device. While these methods may seem secure, they can be vulnerable to theft, loss, or damage.

Two-Factor Authentication: Two-factor authentication (2FA) is a security method that requires users to provide two forms of identification before accessing an account. This can include a password and a code sent via text message, for example. 2FA can help prevent unauthorized access even if a password is compromised.

Where the passsword storages can be located?

Password storage can be located in different places, depending on the system or application that requires authentication. 

Some applications or systems may store passwords locally on a device, such as a computer or mobile phone. For example, web browsers may store passwords locally to allow for autofill of login credentials.

In some cases, passwords may be stored remotely on a server, such as in a database or directory service. This allows for centralized management and authentication across multiple devices and applications.

Password managers, such as LastPass or Dashlane, store passwords in the cloud, allowing users to access their passwords from any device with an internet connection.

Hardware security modules (HSMs). Some organizations may use specialized hardware devices called HSMs to store passwords securely. HSMs provide physical protection for the passwords and can only be accessed by authorized users or applications.

The location of password storage depends on the system or application’s design and security requirements. It is important to choose a password storage method that is secure, convenient, and meets your individual needs.

How to secure password storage? 

As mentioned earlier, passwords should be hashed using a strong, one-way hashing algorithm like bcrypt, SHA-256 or Argon2. These algorithms are designed to be slow and difficult to reverse, which makes them more resistant to attacks. Don’t forget about salting that involves adding a random string of characters to the password before hashing it. This makes it much more difficult for attackers to use precomputed hash tables or rainbow tables to crack the password. It’s important to use a unique salt for each password to prevent attackers from using the same salt for multiple passwords, which could make it easier to crack them.

Passwords should be stored separately from other user data to reduce the risk of a data breach. Ideally, passwords should be stored in a separate database or server that is not accessible from the internet.

Use multi-factor authentication: Multi-factor authentication adds an extra layer of security by requiring users to provide additional proof of their identity, such as a code sent to their phone or a fingerprint scan. This can help prevent unauthorized access to user accounts even if passwords are compromised.

It’s important to regularly review and update security measures to stay ahead of evolving threats. This includes updating software and systems, implementing new security measures as needed, and conducting regular security audits and penetration testing.

Standards for password secure

While protecting password storage is undoubtedly crucial, generating a robust password that is hard to guess takes priority.

Using password standards is important for several reasons. Passwords are often the first line of defense against unauthorized access to our personal or professional information. Using strong and unique passwords makes it more difficult for attackers to gain access to our accounts and personal information. Also data breaches are becoming increasingly common, and attackers can use stolen passwords to gain access to other accounts that share the same password. By using unique passwords for each account, you limit the impact of a data breach. A data breach or other security incident can damage an organization’s reputation. By implementing password standards and best practices, organizations can demonstrate to their customers and stakeholders that they take security seriously.

Many organizations have compliance requirements that mandate the use of strong passwords. Failure to comply with these requirements can result in significant penalties or loss of business.

Overall, using password standards is an important step in protecting our personal and professional information from unauthorized access and minimizing the impact of data breaches.

Here are some standards for creating strong passwords:

  1. Length: Use a minimum of 12 characters, but the longer the better.
  2. Complexity: Use a combination of upper and lowercase letters, numbers, and symbols.
  3. Avoid using common words or phrases, such as “password,” “123456,” or “qwerty.”
  4. Don’t use personal information, such as your name, birthdate, or address.
  5. Use a unique password for each account you have.
  6. Consider using a passphrase or a combination of random words.
  7. Avoid using easily guessable patterns, such as “abcd1234” or “qwertyuiop.”
  8. Avoid using sequential keyboard combinations like “asdfghjkl” or “zxcvbnm”.
  9. Consider using a password manager to generate and store strong passwords.
  10. Update your passwords regularly, at least every six months.

Following these standards will help you create stronger and more secure passwords that are less likely to be compromised by attackers.

What makes a password storage insecure?

Insecure password storage types are those that do not provide adequate protection for passwords, leaving them vulnerable to hacking, theft, or unauthorized access. 

Storing passwords in plain text, such as in a document or database, is one of the most insecure methods. This means that the passwords are easily readable by anyone who has access to the storage location.

Encrypting passwords is better than storing them in plain text, but it can still be vulnerable to hacking. If the encryption key is weak or easily guessable, an attacker may be able to access the passwords.

Obfuscation involves using methods to obscure the passwords, such as replacing letters with symbols or reversing the order of the characters. This method is not secure, as the passwords can still be easily guessed or cracked.

Hashing is a method of converting passwords into a fixed-length string of characters that cannot be reversed. However, hashing alone is not sufficient, as attackers can use a dictionary or brute-force attack to guess the original password. Adding a salt, a random string of characters added to each password before hashing, significantly increases the security of password storage.

Softwares to store your password

LastPass: A popular password manager that offers a range of features, including automatic password capture, one-click login, and multi-factor authentication.

Dashlane: An intuitive password manager that offers secure password storage, automatic form filling, and a digital wallet for storing payment information.

1Password: A user-friendly password manager that allows you to store and manage passwords, credit card information, and other sensitive data.

KeePass: A free, open-source password manager that allows you to store passwords and other sensitive information in an encrypted database.

Bitwarden: A cross-platform password manager that offers end-to-end encryption, two-factor authentication, and other security features.

Most common password storages flaws  

There have been many real-world examples of password storage flaws that have led to data breaches and compromised user accounts. One prominent example is the 2012 LinkedIn data breach, where over 167 million user credentials, including email addresses and passwords, were stolen by hackers. The passwords were stored in unsalted SHA-1 hashed format, which made it easy for attackers to crack them using precomputed hash tables.

Another example is the 2013 Adobe data breach, where hackers gained access to over 153 million user accounts, including usernames and passwords. The passwords were stored in encrypted format, but using a weak encryption algorithm called 3DES. This made it easier for attackers to decrypt the passwords and use them to compromise user accounts on other websites where users had reused the same password.

In 2018, Under Armour’s fitness app, MyFitnessPal, suffered a data breach where hackers stole the usernames, email addresses, and hashed passwords of over 150 million users. The passwords were stored in hashed format using the bcrypt algorithm, but the company did not use any salt, making it easier for attackers to crack the passwords.

In 2013 and 2014, Yahoo suffered two massive data breaches where hackers stole the credentials of all 3 billion user accounts. The passwords were stored in MD5 hashed format, which is a weak algorithm that can be easily cracked. Additionally, the passwords were not salted, making it even easier for attackers to crack them.

In 2013, Target suffered a data breach where hackers stole the credit and debit card information of over 40 million customers. The hackers gained access to the payment system by using stolen credentials from a third-party vendor. The vendor had stored the credentials in plain text format on their servers, which allowed the attackers to easily steal them.

In 2021, GitHub suffered a data breach where hackers stole the credentials of over 38 million user accounts. The passwords were stored in SHA-1 hashed format, which is a weak algorithm that can be easily cracked. Additionally, the passwords were not salted, making it easier for attackers to crack them.

In 2014, eBay suffered a data breach where hackers stole the credentials of over 145 million users. The passwords were stored in hashed format using the SHA-1 algorithm, which is a weak algorithm that can be easily cracked. Additionally, the passwords were not salted, making it easier for attackers to crack them.

These examples demonstrate the importance of implementing strong password storage practices, such as using strong encryption algorithms, salting, and secure storage, to reduce the risk of data breaches and compromised user accounts.

Conclusion

Many high-profile data breaches in recent years have been caused by password storage vulnerabilities, highlighting the importance of implementing strong password storage practices to protect user accounts and sensitive information. It is important for organizations to prioritize security and regularly review and update their password storage practices to ensure that they are strong and secure. Additionally, users should be educated about the importance of creating strong and unique passwords and avoiding the reuse of passwords across different accounts.

Other Services

Ready to secure?

Let's get in touch