The big story is that the website Adult Friend Finder was hacked and 412 million account username and passwords were stolen, which is the equivalent of 20 years of data. It looks like it is the new number 1 data breach in history. Its not the whole story though. 412 million accounts on Adult Friend Finder, I didn't think so, its actually part of a group of 6 adult content websites owned by Friend Finder Network Inc. The Passwords were stored by Friend Finder Network either in plain visible format or SHA1 hashed (peppered). Neither method is considered secure. An interesting concept of "peppering" was mentioned which I was unaware of until reading this article.
In cryptography, a pepper is something that is added to another value (for example a password) prior to the value being hashed using a cryptographic hash function. A pepper can be added to a password in addition to a salt value. A pepper performs a similar role to a salt, however whereas a salt is commonly stored alongside the value being hashed, for something to be defined as a pepper, it should meet one of the following criteria that define it a more carefully hidden 'secret' than the salt value:
- The pepper is held separately from the value to be hashed
- The pepper is randomly generated for each value to be hashed (within a limited set of values), and is never stored. When data is tested against a hashed value for a match, this is done by iterating through the set of values valid for the pepper, and each one in turn is added to the data to be tested (usually by suffixing it to the data), before the cryptographic hash function is run on the combined value.
No comments:
Post a Comment