Is my stolen data encrypted?
After a data breach, affected companies will try and assuage the fear and outrage of their customers by saying something to the effect of “Yes, the criminals got your passwords, but your passwords are encrypted.” This isn’t very comforting and here’s why. Many companies use the most basic form of password encryption possible: unsalted SHA1 hashing.
Hash and salt? Sounds like a delicious way to start the day. As it applies to password encryption, not so great. A password encrypted via SHA1 will always encrypt or hash to the same string of characters, which makes them easy to guess. For example, “password” will always hash as
“5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8” and “123456” will always hash as “7c4a8d09ca3762af61e59520943dc26494f8941b.”
This shouldn’t be a problem, because those are the two worst passwords possible, and no one should ever use them. But people do. SplashData’s annual list of most common passwords shows that people aren’t as creative with their passwords as they should be. Topping the list for five years running: “123456” and “password.” High fives all around, everyone.
With this in mind, cybercriminals can check a list of stolen, hashed passwords against a list of known hashed passwords. With the decrypted passwords and the matching usernames or email addresses, cybercriminals have everything they need to hack into your account.
After a data breach, affected companies will try and assuage the fear and outrage of their customers by saying something to the effect of “Yes, the criminals got your passwords, but your passwords are encrypted.” This isn’t very comforting and here’s why. Many companies use the most basic form of password encryption possible: unsalted SHA1 hashing.
Hash and salt? Sounds like a delicious way to start the day. As it applies to password encryption, not so great. A password encrypted via SHA1 will always encrypt or hash to the same string of characters, which makes them easy to guess. For example, “password” will always hash as
“5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8” and “123456” will always hash as “7c4a8d09ca3762af61e59520943dc26494f8941b.”
This shouldn’t be a problem, because those are the two worst passwords possible, and no one should ever use them. But people do. SplashData’s annual list of most common passwords shows that people aren’t as creative with their passwords as they should be. Topping the list for five years running: “123456” and “password.” High fives all around, everyone.
With this in mind, cybercriminals can check a list of stolen, hashed passwords against a list of known hashed passwords. With the decrypted passwords and the matching usernames or email addresses, cybercriminals have everything they need to hack into your account.