Encryption is converting data or information into an unintelligible code or cipher. It scrambles data so that it is not readable without a decryption key. Password management is heavily dependent on encryption. Even the most robust password cannot secure accounts and protect identities without proper encryption.
Passwords need to be encrypted when they are stored in a database or when they are in transit. It is crucial to understand how encryption works and how different forms of encryption help secure passwords to make crucial decisions pertaining to password management strategies.
Encryption is a practical manifestation of the art of writing and solving codes – cryptography. Cryptography is an age-old discipline with several wings and different goals. Here, the scope of exploration will be limited to computer-based encryption of credentials. First, it’s important to be familiar with certain terms and concepts.
In this article
Understanding Key Terms Around Encryption
The following are some terms anyone trying to wrap their head around password encryption should know:
Plain text: Unencrypted information that anyone can read.
Ciphertext: The unintelligible string of characters created from encrypting the plaintext.
Block cipher: A deterministic algorithm that takes a block of plaintext and creates a ciphertext of equal bit size.
Key: The keys are strings of information used to encrypt and decrypt data.
According to Kerckhoff’s principle, “the security of a cryptosystem must lie in the choice of its keys only; everything else (including the algorithm itself) should be considered public knowledge.
Hash function: These mathematical algorithms convert an information string with a random length into a different string with a fixed length.
Hash: The string of information with a fixed length represents a different information string. It is the product of the hash function.
Secure Hashing Algorithm(SHA): A standardized set of hash functions. The current generation of SHA is SHA-3 which includes six “Permutation-Based Hash and Extendable-Output Functions” with hash (digest) values of 128, 224, 256, 384, or 512 bits.
Note: The hashing process is irreversible, which means it is nearly impossible to reconstruct the actual information from the hash.
Salt: Additional letters and numbers added to the hash are called salt. If two users create identical passwords, the hashes for both of them will be the same, but with salt added, the hashes will be completely different thanks to the avalanche effect of hashing.
Avalanche effect: The property owing to which a small change in the input results in a significant change in the output. Half the output bits will flip if one bit of information is flipped in a user-generated string.
How The Password Encryption Process Works
A newly created password undergoes two processes before being stored safely in a database.
- Salting
- Hashing
While adding salt to a password takes place before the hashing, explaining the concepts in reverse order will be easier. First, hashing, and then salting.
When a user creates a password and hits save, a hash function generates a different version of the password or the hash. The server saves the hash, not the actual password, in plaintext.
When the user tries to log into the service again using their password, the hash function recreates the hash and allows the user to log in only if the recreated hash matches the original hash.
However, hashing has a fundamental weakness. A hash is created for each password but not for each user. That means if two users have identical passwords, the hashes created against each of those passwords will also be identical. Salt is used to tackle this issue.
Salt is an 8 bytes long string of characters and numbers added to a plaintext password before it undergoes hashing.
For instance, if a user creates a password abc@1234PASS, the salted version will look like 94C03L035K409D4Eabc@1234PASS. The has function will create a hash for the salted version of the password.
A different salt value is appended to the passwords for each user hence, the risk of two users having the same hash is eliminated.
How difficult it will be to break encryption depends on the encryption method and the secrecy of the key. There are several methods of encryption and one industrial standard.
The Different Methods of Encryption
Data encryption has two primary categories: Symmetric encryption and Asymmetric encryption.
Symmetric encryption uses the same key to encrypt and decrypt information. The key is available to authorized users.
Asymmetric encryption uses a pair of keys – a public key to encrypt and a private key to decrypt information. As the names suggest, the public key is made publicly available, while the private key is held by the key’s generator.
Multiple methods are used to achieve both symmetric and asymmetric encryption.
Rivest-Shamir-Adleman (RSA)
RSA is an asymmetric encryption algorithm named after MIT scientists Rivest, Shamir, and Adleman. The public key is the product of two large prime numbers amounting to 1024, 2048, or 4096 bits. The private key is the two prime factors that make up the public key. It is secure because there are no known methods of determining the prime factors of such a large number; only the generator of the public key holds the private key.
Triple DES
DES or Data Encryption Standard, was an encryption algorithm designed in the early 1970s by IBM and adopted by the US government in 1977. DES has fallen out of use since it was broken in under 23 hours in January 1999. Some organizations still use Triple DES, which uses the 56-bit cipher algorithm three times for each block of data. It is a symmetric algorithm.
Blowfish
A symmetric encryption algorithm that breaks the data into 64-bit segments and encrypts them individually.
Advanced Encryption Standard (AES)
The Advanced Encryption Standard was designed by the National Institute of Standards and Technology to replace the failing DES. It is still the global standard for encryption and is used everywhere, from banks to military systems.
How Does The AES Work?
AES has 3 block ciphers: AES-128, AES-192, and AES-256. The numbers 128, 192, and 256 represent the key size in bits. AES breaks the data into blocks of 128 bits or 16 bytes. Each block undergoes several rounds of byte substitution, row shifting, column mixing, and key additions based on the principles of the substitution/permutation network.
The number of rounds depends on the key size. For AES-128, it is 10; for 192, it is 12; and for AES-256, it is 14.
In the end, all the blocks are joined to create the final ciphertext. Since AES is a symmetric encryption algorithm, the same key is required to encrypt and decrypt the data. An unauthorized person can decrypt the data by finding out the key.
Hackers may apply brute force attacks to try every possible combination of numbers to determine the key using powerful computers. But a 256-bit key is impossible to reveal by brute forcing even with the most powerful supercomputer.
Attackers will have to try 2^256 combinations of numbers to determine it. It will take millions of years with current technology. Hence, AES-256 can be upheld as the ultimate standard in encryption for the foreseeable future.
Now that the fundamentals of encryption and its different methods have been dealt with, let’s discuss specific business-specific questions.
What Kind of Encryption Should Businesses Use For Their Passwords?
We have established the strength of the AES-256 encryption protocol and also mentioned the SHA-3. A combination of AES-256 and SHA-3 creates a virtually impenetrable encryption barrier around your business data.
Choosing Password Managers Based On The Quality of Encryption
Enterprises that use a lot of applications and services for their day-to-day operations deal with the risk of exposure and data breaches via credential thefts and phishing attacks. Hence, they need password managers. The quality of encryption should be one of the key factors when choosing a password manager.
Go for password management tools like Uniqkey that offer AES-256-bit encryption combined with SHA-3. Uniqkey has not faced a single breach in 6 years – arguably the six most notorious years regarding data breaches and credential thefts.
The Future of Encryption
One of the most vital questions concerning the future of encryption is whether quantum computation will outperform our most reliable encryption protocols like the AES-256.
NIST has started a post-quantum-cryptography standardization project where it has asked cryptographers to develop encryption programs that can withstand the onslaught of quantum computers. The word is that AES-256 is quantum-resistant. In 2022, NIST announced 4 candidates that might be ready for post-quantum cryptography, but it hasn’t released the finalized list yet.