In many ways, data breaches are a snapshot in time. I’ve (jokingly) referred to them globally distributed peer-to-peer backups in the past and in many ways, that’s precisely what they are. Here you have a situation where your data (and sometimes your code base and even internal emails) are now out there, often floating around under the control of other parties. They’re picking apart your data and importantly in the context of this piece, forming opinions on the effectiveness of your security posture.
Let me illustrate the point: Last week, news broke that Disqus had been hacked. You may not recognize Disqus as a name, but you’ve almost certainly seen it in action as it powers the commenting engine for a significant portion of the web’s blogs and news sites. It has become the canonical means by which people discuss content in the context of that content and now, other people had their data.
I actually believe that Disqus did a sensational job in communicating the breach and getting word out within 24 hours is almost unheard of. But where it ended up copping some flak was with its approach to password storage – it used SHA-1. This raised the ire of people and I had a number of very unhappy tweets and replies along these lines after writing the aforementioned piece on them. The thing is though, the data in its breach dated back to 2012 which was a very different technological era to today. It might seem like 5 years isn’t very long, but applying Moore’s Law to things then that’s long enough for computer processing power to get about 6 times faster, and therein lies the problem.
SHA-1 is a totally inappropriate algorithm to use when hashing customer passwords in a system like Disqus runs. If someone proposed that today you’d seriously question their sanity, but back in 2012 it was much more the norm. Thing is though, Disqus didn’t chose SHA-1 in 2012, it would have chosen it years before when it originally built the system which based on its disclosure, sounds like it was about 2007.
So, you see the problem – Disqus made a design decision in a different era which viewed in the light of 2017 looks bad. It is not alone; MySpace data turned up last year and its incident dates back to a similar era and includes SHA-1 passwords. Same with LinkedIn (who unlike Disqus, didn’t salt its passwords) and same with Dropbox who had half its passwords stored as salted SHA-1. Last.fm was also 2012 but used MD5 and Tumblr was just a little later albeit with SHA-1 again.
As much as we rush to criticize these incidents, we need to keep in mind the era in which design decisions were made. I’m confident they all have fundamentally different strategies for password storage these days (Dropbox has been especially transparent), but who knows – maybe we’ll be looking at their data a decade from now and decrying their use of the bcrypt algorithm!