The persistent danger of cyberattacks underscores the critical imperative for businesses to prioritize the security of user passwords as a fundamental necessity. Despite this urgency, a comprehensive analysis of more than 800 million breached passwords reveals a disconcerting trend. Surprisingly, common basic terms like “password”, “admin”, “welcome” and “p@ssw0rd” are still among the most chosen passwords. Another surprising revelation is that passwords that are predominantly composed of lowercase letters make up a staggering 18.82% of those used in malicious attacks. This glaring reality underscores the vulnerability of passwords, perpetuating them as one of the weakest links within an organization's network defenses. As security teams face the perpetual challenge of thwarting unauthorized access and hardening against data breaches, the importance of strengthening this critical aspect of cybersecurity cannot be understated.
As a result, numerous security experts have extensively explored optimal methods for protecting passwords, especially focusing on fortified hashing algorithms, resulting in the dominance of bcrypt. Renowned for its formidable defense in preserving stored passwords, bcrypt, which emerged from the 1999 Blowfish encryption algorithm, has become a bastion of password security. However, along with technological progress, the skill of attackers also advances. Consequently, continued scrutiny of bcrpyt has revealed insights into its resilience amid the changing tactics of contemporary hackers.
Senior Product Manager at Specops Software, an Outpost24 company.
Why we use hashing algorithms
In essence, password hashing involves subjecting a password to a hashing algorithm, converting plain text into an incomprehensible sequence of alphanumeric characters. This process acts as an essential barrier against potential password compromises within storage systems. The irreversible nature of this transformation ensures that in the event of a breach where hackers acquire the encrypted passwords, they remain inscrutable. Cracking the original password from a hash can only be achieved by exhaustive guessing using brute force methods or rainbow tables.
The conventional method of manually guessing a password is virtually impossible for a human, leading cybercriminals to turn to password cracking tools such as Hashcat, L0phtcrack or John The Ripper. A brute force attack involves trying millions, if not billions, of combinations and comparing them to a wide range of strings to generate a password hash. With the increase in computing capabilities, the process of cracking a password has become alarmingly fast.
For hackers, this poses an irresistible challenge, spurring the use of sophisticated technology that leverages robust hardware and specialized software to breach encrypted passwords. Consequently, competition within the cybersecurity space is increasing significantly.
Previously, traditional hashing algorithms like MD5 and SHA-1 were stalwart in protecting passwords. However, even these defenses have succumbed to the relentless pressure exerted by contemporary cracking tools. Surprisingly, MD5 is still prevalent in the leaked data sets despite its compromised security level.
Unraveling bcrypt
Delving into more complex details, bcrypt employs a one-way hashing procedure to convert user passwords into fixed-length strings. This irreversible transformation ensures that reverting the hash to the original password is virtually impossible. Each user login triggers bcrypt to repeat the password, allowing a comparison with the system's stored password. Even in cases of short, plaintext passwords, bcrypt can improve their length and complexity, thus strengthening security. Additionally, bcrypt has distinctive features that differentiate it from other hashing techniques.
to. Salting and greater complexity
Bcrypt employs a salting technique to strengthen defenses against dictionary and brute force attacks. Each password hash receives a unique addition, which significantly complicates cracking efforts, thereby improving password complexity and deterring common hacking methods.
b. Cost factor: safeguarding security levels
Within bcrypt, the 'cost factor' adds another layer of security. This factor regulates the number of password iterations performed before generating the hash and is incorporated before the salt. In doing so, bcrypt applies more powerful hashing and salting methods, amplifying the time, resources, and computational power required for decryption attempts.
Measuring the true security of bcrypt
Generating a bcrypt hash can take a considerable amount of time, but this deliberate delay serves as a crucial barrier against hacking attempts. Unlike MD5 and SHA-256 hashing algorithms, cracking bcrypt hashes presents a formidable challenge to any malicious actor. For example, an eight-character password comprising a combination of letters, numbers and symbols would take around 286 years to crack. However, short or easy-to-guess passwords, such as '123456', can be cracked almost immediately. This underscores the importance of both businesses and individuals following strong security practices by employing longer, more complex passwords, such as passphrases.
While bcrypt hashing offers significant protection, it is important to note that it is not a fail-safe solution against password compromise. The well-known 'Have I been fooled?' The website, which allows users to check if their personal data has been compromised by data breaches, has many examples of bcrypt hashes that have unfortunately been exposed.
Cybersecurity does not have a one-size-fits-all solution, and despite its robustness, bcrypt hashes have been susceptible to exposure in data breaches. Despite this, it remains a prominent option, especially for addressing the critical issues of password reuse and compromised credentials within an organization.
Cybercriminals often stay away from brute force hashing algorithms for various reasons and instead focus on easier targets, such as exploiting compromised Active Directory passwords. Additionally, the implementation of restrictions on password reuse emphasizes the need for strong password security protocols in the corporate landscape. Adopting hashing algorithms as part of a proactive strategy becomes crucial to mitigate risks related to compromised credentials.
Finding strength in password security
As the cybersecurity landscape constantly changes, cybercriminals strive to disrupt organizations and disrupt the workforce. To combat this, businesses must strengthen their defenses against password-related threats through a comprehensive strategy. This includes using bcrypt hashes to thwart brute force attacks, educating users on password best practices, and implementing strict organizational policies to prevent password reuse risks. This combination of technological hardening, user education, and policy enforcement aims to not only decrease the chances of password compromises, but also improve the overall cyber resilience of the enterprise.
Introducing the best encryption software.
This article was produced as part of TechRadarPro's Expert Insights channel, where we feature the best and brightest minds in today's tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, find out more here:
