EU security agency: salting passwords is the new minimum

With millions of citizens’ passwords exposed in recent months, Europe’s security agency is urging all web service providers to salt their users’ stored password hashes.

“Today, every password hash algorithm should employ a further layer of security by implementing salt and multiple iterations over the initial hash,” the European Network and information Security Agency (ENISA) says in a new “flash note” to service providers, pointing out best practice security.

Salting, which frustrates an attackers' effort to crack passwords, was necessary because major password hash leaks in recent months were contributing to better password dictionaries and rainbow tables, “making further attacks even more efficient”.

ENISA cites millions of passwords and usernames leaked in recent months from LinkedIn, eHarmony, Formspring, Yahoo Voice, Android and NVIDIA forums, and Gamigo.

Besides salting, firms need to ensure the environment in which the salted passwords are stored is designed to prevent leaks in the first place.

ENISA notes that, “most online data breaches were accomplished using SQL injection attacks” and suggests all firms bake security into the software development process and conduct regular audits and penetration tests.

Password policies should be adapted to the sensitivity of the service provided and include throttling systems like CAPTCHA or capping the number of login attempts from a single source. Critical information services should implement two factor authentication.

Pointing to the EU’s proposed tough data breach reporting requirement, which the EU has put out for a public consultation, ENISA says firms should already be reporting all breaches to affected customers.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

• Tweet