EU security agency: salting passwords is the new minimum

Plain text is a definite no-no but cryptographic hashes are not enough.

With millions of citizens’ passwords exposed in recent months, Europe’s security agency is urging all web service providers to salt their users’ stored password hashes.

“Today, every password hash algorithm should employ a further layer of security by implementing salt and multiple iterations over the initial hash,” the European Network and information Security Agency (ENISA) says in a new “flash note” to service providers, pointing out best practice security.

Salting, which frustrates an attackers' effort to crack passwords, was necessary because major password hash leaks in recent months were contributing to better password dictionaries and rainbow tables, “making further attacks even more efficient”.

ENISA cites millions of passwords and usernames leaked in recent months from LinkedIn, eHarmony, Formspring, Yahoo Voice, Android and NVIDIA forums, and Gamigo.

Besides salting, firms need to ensure the environment in which the salted passwords are stored is designed to prevent leaks in the first place.

ENISA notes that, “most online data breaches were accomplished using SQL injection attacks” and suggests all firms bake security into the software development process and conduct regular audits and penetration tests.

Password policies should be adapted to the sensitivity of the service provided and include throttling systems like CAPTCHA or capping the number of login attempts from a single source. Critical information services should implement two factor authentication.

Pointing to the EU’s proposed tough data breach reporting requirement, which the EU has put out for a public consultation, ENISA says firms should already be reporting all breaches to affected customers.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.
Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts