Latest News

Password security: Would your website stand up to hackers?

Heather

If your website has a user log in area then no doubt your website also stores passwords. You have a duty to your users to store those passwords securely.

User passwords are stored in your website’s database. On a well-secured website, it is perhaps unlikely that your database will be compromised, but unfortunately hackers can be very determined. Recent high-profile cases highlight the risk for any company’s database. It’s irresponsible to assume that it could never happen to you.

So to protect your users from the possibility of stolen data, a good web developer will ‘encrypt’ certain information. Easy right? Wait, there’s more…

Many websites are using an outdated method of encryption called MD5 hashing. It takes a modern computer less than a nanosecond to encrypt a single password that way. That’s bad. That’s really bad. When a hacker gets their hands on a password encrypted in this way, they can try millions of possible passwords in just one second. So, if one of the users in the database has a password of 6 lowercase letters and numbers, it takes a hacker a maximum of 40 seconds to discover their password.

I’ll give you a moment to go and change all your passwords.

As users, we can never be confident that website owners are encrypting our passwords safely. That’s why you keep hearing irritating advice from computer security experts to use different passwords on every website you use. But let’s face it, most people don’t. This means your website database is probably holding some pretty sensitive information. As a web developer, I can make it much more difficult for hackers to discover that sensitive information.

At EMSL, we use some of the most secure methods available to encrypt your users’ passwords. That means it takes about 0.3 seconds to encrypt one password, instead of less than a nanosecond. And our theoretical hacker’s work load has also increased by the same amount – now instead of taking up to 40 seconds to crack one password, it’ll take them up to 12 years!

So, time for a website security audit? We can check your password security and many other common security concerns. Just contact a member of our team for more information.

And if you’re already one of our website clients, you can just sit back and relax. We’ve already covered it.

The techy bit: future-proof password security

I’ve made a few references to the abilities of current computers in this article, and you may well be thinking “but computers get faster every year”. And you’re absolutely right, of course. In computing, Moore’s Law states that every 2 years, the speed of our computers will double – and this prediction has been pretty much spot on since it was first made in 1965.

Using a single modern computer, a single password of 6 lower-case letters and numbers takes around 0.3 seconds to encrypt, and up to 12 years to crack by brute force. Using Moore’s Law, we can predict that in 2 years’ time the password would be cracked by brute force within 6 years, and in 10 years’ time it would take 137 days. That sounds like a long time still, but assuming a hacker is working with more than one computer to crack the passwords, they actually have a manageable work load cracking this 10 year old password now.

We make sure we stay one step ahead of the hackers by using a work factor in our password encryption algorithm. When we increase the work factor, it exponentially increases the amount of work required to encrypt a single password. So all we need to do is increase the work factor by 1 every 2 years, and it will always take around 0.3 seconds to encrypt a password, and up to 12 years to crack. This simple maintenance is something we will continue to take care of for all our clients with their own log-in areas, so they can be sure their users’ passwords are always kept as safe as possible.

Password security: Would your website stand up to hackers?

Many websites are using an outdated method of encryption called MD5 hashing… if one of the users in the database has a password of 6 lowercase letters and numbers, it takes a hacker a maximum of 40 seconds to discover their password.

All we need to do is increase the work factor by 1 every 2 years, and it will always take around 0.3 seconds to encrypt a password, and up to 12 years to crack

For more info, or to arrange a security audit for your website, contact EMSL on…

Call
01462 676070
Email
info@emsl.co.uk
We’d love to show you what we can do