In 2018 password hashing is becoming more important than ever for both ecommerce website owners and people who provide commercial software applications.
Protecting your users’ data is no longer a suggestion, rather, it is a requirement as consumers are beginning to consider their security and the safety of their data a top priority.
As ecommerce continues to grow at a solid rate, with ecommerce sales projected to hit just over $4 billion by the year 2020, protecting your users’ data is now more important than ever.
If a hacker or malicious actor gains access to your password database and those passwords are stored in plain text the Intruder will have access to every user accounts on your website or application.
The recommended way to avoid this is through password hashing.
Without the proper cybersecurity protocols in place, ecommerce store owners risk putting themselves and their customers at risk. We don’t need to look any farther than the 2013 Target hacking to understand how and why hacking is a major threat to ecommerce platforms.
That being said, smaller ecommerce stores are at an even bigger risk than the larger corporations due to the fact that they have lesser security protocols against cybercriminals. Two of the largest kinds of cybercrimes that smaller ecommerce stores may face include phishing attacks, where user data such as their credit card numbers and login information is targeted, and credit card fraud, where hackers will attempt to extract credit card numbers and then sell them on the black market.
As you can hopefully tell by now, the security of your ecommerce store must be of the utmost concern to you, and this will require you to employ a number of security measures, including password hashing.
What is Password Hashing?
To understand how password hashing is used currently on content management systems and web applications, we have to define a few key things.
When you hash a password, it basically turns the password into a scrambled representation or ‘string,’ and you use this to avoid storing passwords as plain text where they can be found by malicious actors. Hashing compares the value with an encryption key internally to actually interpret the password.
It should be also noted that hashing is a form of cryptographic security that is different from encryption. This is because encryption is designed to encrypt and decrypt a message through a two step process, but as we have just gone over, hashing is designed to generate a string from a previous string in text, that can vary significantly with only small input variations.
An additional hashing measure that you will see is what’s referred to as salting, which is simply the addition of the characters on to the end of the hashed password to make it more difficult to decode.
Similar to salting is what is referred to as peppering. This also adds an additional value to the end of the password. There are two different versions of salting the first where you add the value to the end of the password as I mentioned above and the second that the value added to the password is both random in location and in its value. The advantage of this is that it makes Brute Force attacks and certain other attacks very difficult.
Currently Used Hashing Algorithms
You will see a wide variety of hashing methods used on passwords depending on the platform. This can also vary between content management systems.
One of the least secure hashing algorithms is referred to as MD5, which was created in 1992. As you may imagine from an algorithm created in 1992 it is not the most secure hashing algorithm. This algorithm uses 128-bit values which is a lot lower than traditional encryption standards so that means it is not a very secure option for passwords and instead is more often used for Less secure requirements such as a file downloads.
The next common hashing algorithm that you will see is SHA-1. This algorithm was created in 1993 by the US National Security Agency. They waited a few years to publish the algorithm, however despite being developed only one year later than MD5 it is significantly more secure at the time. You may still see some passwords being hashed this way but unfortunately, this standard was decided to be no longer secure.
As an upgrade to SHA1 that the National Security Agency published, SHA-2, was created 2001. And like its predecessor, it was not specifically created by the NSA and was only standardized just a few years before now. It still Remains a viable method for securely hashing passwords.
Another password hashing algorithm that you will see is Bcrypt. The BCrypt algorithm includes a salt which is designed to protect against brute-force attacks.
One of the tools BCypt uses to make Brute Force attacks more difficult is slowing down the Brute Force operation or program that a malicious actor may be using. This means if a Brute Force attack is attempted it will likely take years if it is successful at all.
Similar to bCrypt is Scrypt. This password hashing algorithm also extends the key with additional defenses such as salts (designed to add random data to a hash function input to create a more unique output), and to make Brute Force attacks almost impossible with an additional advantage of Scrypt is that it is designed to take up a large amount of computer memory when it is being Brute Force attacked. That means it has an additional measure to extend the length of time a Brute Force attack may take to be successful.
The last password hashing algorithm we’ll see on content management systems and web applications is PBKDF2. This password hashing algorithm was created by RSA Laboratories and like the algorithms mention before, also add extensions to the hash to make Brute Force more difficult.
Storing Hashed Passwords
After the process of hashing, and after whatever algorithm is being used does its job, the output of the password will be a scrambled hexadecimal representation of itself.
What that means is that it will be a very long series of letters and numbers that will be what is stored by the website or application in the case that a hacker gains access to that information.
So in other words, if a hacker gets into your ecommerce website and finds a database of user passwords then he will not be able to use them to directly log into a user’s account.
Rather, he or she would have to interpret the random letters and numbers to figure out what your password would actually be.
Multiple Website Passwords
Sometimes you’re going to run into situations where your ecommerce store users may need to share passwords across different services.
An example of this might be that you have a separate build of your application for mobile devices that is maybe a different technology or on a different platform as compared to your web-based version. In this instance, you would need to sync hashed passwords across multiple platforms, which can be very complicated.
Fortunately, there are companies that can help with cross-platform syncing of hash passwords. An example would be FoxyCart, which is a service that allows hashed password syncing from application to application.
Wrapping it Up
In addition to Foxy, there are many other popular ecommerce platforms to choose from. Regardless of which one you use, keeping your online ecommerce store secure before must be a top priority, and password hashing is one of the best and also one of the more overlooked security measures that you can employ today.
The more properly hashed a password is, and if it’s using the newest standards like salt and pepper ring, then basically the only way for a malicious actor to get someone’s password would be via a Brute Force attack.
And with the methods we mentioned above and the algorithms used by various content management systems, even brute force attacks are becoming more and more difficult. That is, only if you implement these tools properly.