Password encryption and its benefits explained

Passwords have remained a tried and true method of authentication for decades. Users have continued to rely on passwords to protect access to their digital identities and data. Despite researchers often predicting a dip in their usage, and the identity security landscape introducing more secure methods of authentication, the foothold of passwords has remained strong. Given their popularity in the public domain, it is expected that password security practices are commonplace. Unfortunately, more often than not, this isn't the case.

A recent discovery by cybersecurity researchers revealed that around 20 million passwords were left exposed in plaintext to the internet by 900 websites built on poorly configured Google Firebase databases. If a hacker had broken into these databases that contained passwords in plaintext, they could have easily taken over user accounts with those passwords, vastly affecting the integrity of sensitive data on these websites. Incidents like this remind us why passwords should never be stored in plaintext and call our attention back to a key factor in password security: password encryption.

What is password encryption?

Systems that authenticate identities with usernames and passwords typically store those passwords on a server or in a password manager. In the event of a data breach, if hackers gain access to these stored passwords, all digital identities that the system holds could be jeopardized. This holds true particularly when the passwords are stored in plaintext.

Password encryption is a security practice that helps prevent such password and identity thefts. It uses mathematical algorithms and logical rules to transform a password into an unintelligible value known as ciphertext. So, even if hackers manage to breach the system, all they can access is the unusable ciphertext, rendering them unable to take over digital identities.

The benefits of password encryption don't apply only to stored passwords but also to passwords in transit. Sending passwords between systems in plaintext leaves them vulnerable to manipulator-in-the-middle attacks and account takeovers, which can be prevented using password encryption.

How does password encryption work?

When a user account is created, a unique encryption key and decryption key are assigned to it. The encryption key is used to encrypt the original password. This creates ciphertext, a string of random characters. There are different types of encryption algorithms, each producing ciphertext of a different pattern or sequence. The ciphertext can then safely be stored on a server or in a password manager, or sent to its destination.

In instances where the original password is required, such as authentication, the decryption key is used to reverse the encryption and unravel the password. Depending on the type of encryption used, the encryption and decryption keys may be the same or different.

Types of encryption

• Symmetric encryption: Symmetric encryption is a method of encrypting and decrypting passwords using a single secret key for both encryption and decryption. Since the same key is used for both actions, it is essential to securely store and transfer it between the sender and recipient. If the key is compromised, encrypted data can easily be exposed.

  Some common symmetric encryption algorithms used for passwords include the Advanced Encryption Standard, or AES, and the Triple Data Encryption Standard, or 3DES.

• Asymmetric encryption: The asymmetric encryption method uses a key pair instead of a single key. The encryption key is known as the public key and is either made available publicly or to authorized users. The decryption key is known as the private key and is kept concealed. Data that is encrypted by the public key can only be decrypted by the private key, so keeping the private key a secret is crucial.

  Some common asymmetric encryption algorithms used for passwords include Rivest-Shamir-Adleman, or RSA, and Diffie-Helman.

In real-time applications, asymmetric encryption is not an ideal method for password encryption. This is because the asymmetric encryption process needs more computational power. Due to this, symmetric encryption is preferred for encrypting passwords. Asymmetric encryption is then used to encrypt the symmetric encryption key to send it safely from the sender to the recipient server. This ensures that the password remains encrypted and the encryption and decryption keys remain hidden from hackers.

Password encryption vs. hashing vs. salting

Password hashing and salting are two vital techniques used in password security. These are often incorrectly interpreted as types of encryption, but they are in fact independent techniques that can complement the encryption process. They are primarily used during authentication.

• Hashing: Hashing converts a value into a string of random characters called a hash, often of a specific length. It uses a mathematical function to do so. Hashing is a one-way process, and the hash cannot be reversed into the original password. This protects the password from exposure.
• Salting: Salting involves adding a random string of characters to your password before hashing. Doing so overcomes the issue of similar passwords generating the same hash and therefore being deciphered via rainbow table attacks. Salting can also not be reversed.

A password created by a user is initially salted, then hashed, and then stored in the database. During authentication, the password provided by the user is again salted and hashed using the same mathematical function, and the resultant hash is compared with the hash stored in the database. If similar, the user is authenticated into the system.

Are encryption and hashing all it takes to ensure password security?

While encryption, hashing, and salting are basics to ensuring password security, relying solely on these techniques is not sufficient. Firstly, one cannot cross-check whether a system uses fool-proof encryption techniques and can be trusted to secure their password. Secondly, poor password hygiene and weak password choices can still leave user accounts vulnerable to brute-force and dictionary attacks.

Here are some additional measures that can be implemented alongside encryption, hashing, and salting to further enhance password security:

• Password complexity requirements: Existing password requirements, such as Active Directory password policies, can be quite outdated and weak. Implementing strong password policies that enforce requirements like banned dictionary words, minimum password length, and complexity (including uppercase letters, lowercase letters, numbers, and symbols) can significantly improve password security. Longer and more complex passwords are much harder to crack through brute-force attacks.
• Evade exposed passwords: Integration with a leaked password database, such as Have I Been Pwned, helps users avoid choosing passwords that have already been exposed to hackers.
• Multi-factor authentication (MFA): MFA adds extra layers of security by requiring additional factors, such as biometrics or a TOTP, in addition to the password during authentication. So, even if an attacker guesses the password, they wouldn't be able to log in without successfully verifying with the subsequent factors.

ADSelfService Plus is an identity security solution with MFA, SSO, and self-service password management capabilities. It offers a strong Password Policy Enforcer that provides complex password requirements used to create a stringent password policy. It also supports integration with Have I Been Pwned to prevent users from choosing already exposed passwords. The solution's MFA feature supports 20 different authentication methods to secure identities.

For a further look into ADSelfService Plus's identity security capabilities, get your free, 30-day trial of the product here.