In a new report on protecting personal data in online services (47-page / 615KB PDF), the Information Commissioner's Office (ICO) highlighted the insecure storage of passwords as one of eight common computer security vulnerabilities that often lead to data breaches.
It advised businesses to ensure that passwords are subject to procedures called 'hashing' and 'salting' to better protect privacy.
"A hash function is a one-way method which converts a password into a hashed value, often simply called the 'hash'," the ICO said. "When a user first registers with a service and provides a password this is hashed and only this hash value is stored. When a user returns and enters their password, the hash is freshly calculated then compared with the stored hash. If the two hashes match, then the user can be authenticated."
The ICO said that hashing passwords means that hackers "cannot directly work out what the passwords are" even if they obtain a list of the hashes stored and "know the particular hash function that was used". The measure doesn't prevent hackers that obtain a list of hashes from guessing passwords, which is why "it is important to use a technique called 'salting' to further guard against password cracking attacks", the watchdog said.
"A 'salt' ... is a string of random data unique to each user," the ICO said. "The salt is used by combining it with the user's password, then hashing the result. The salt is then generally stored alongside the hash in a database. When a user logs in to the service the stored salt and the supplied password are freshly combined and hashed. As in the unsalted method, the new hash and the stored hash are compared to determine if the user should be authenticated. Even though salts will generally be available to any attacker who already has the related list of password hashes, using salts further increases the time and effort involved in mounting a password cracking attack."
Businesses, however, need to be aware that technological advancements may lead to some hashing measures being deployed that are no longer appropriate to secure passwords, the ICO said. This is because as computer processing gets faster, so too will hackers' attempts to calculate hashes and uncover passwords quickly.
Under the Data Protection Act, organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The ICO has issued fines to many organisations it has deemed to have failed to meet the data security standards.
The ICO's report also outlined the need for businesses to have well designed "security architecture". It made some recommendations about what organisations can do to protect data stored on systems, including suggesting that the segregation of internal-facing and external-facing systems can help with data security.
Amongst the other guidance it issued, the ICO said businesses should have "a software updates policy in place for all software used for processing personal data" and, unless there are "good reasons" not to, apply the security updates "as soon as is practical".
"You could breach the seventh data protection principle [which covers data security obligations] if you don’t define and adhere to an appropriate software updates policy for systems that process personal data," the ICO warned.
The ICO’s group manager for technology, Simon Rice, said: "In just the past couple of months we have already seen widespread concern over the expiry of support for Microsoft XP and the uncovering of the security flaw known as Heartbleed. While these security issues may seem complex, it is important that organisations of all sizes have a basic understanding of these types of threats and know what action they need to take to make sure their computer systems are keeping customers’ information secure."
"Our experiences investigating data breaches on a daily basis shows that whilst some organisations are taking IT security seriously, too many are failing at the basics. If you’re responsible for the security of your organisation’s information and you think salt is just something you put on your chips, rather than a method for protecting your passwords, then our report is for you. The report provides an introduction into these established industry practices that could save you the financial and reputational costs associated with a serious data breach.”