I have been reading a lot recently about how to have secure passwords. With the capabilities of many of the newer GPUs the ability to protect an encrypted password is diminishing daily. It has been understood that it would take a super computer a year to hack a single password with all the different permutations available. Today that has been reduced to a period of days or less using a GPU (Graphical Processing Unit) which performs a massive amount of tasks in parallel, and is extremely well suited for password hacking.
To thwart the capabilities of the GPU we must now use more sophisticated methods for encrypting passwords. We can no longer use the same algorithm to encrypt every password, because once any password is hacked, then all passwords may be hacked. Now we have to use something that is unique to every password being encrypted, referred to as salt, to make the encryption more difficult to figure out.
On top of that, there are other techniques to make that algorithm difficult to decipher. Sometimes there are multiple different encryption methodologies that may be applied such as hashing the value n number of times, where n varies based on some property of the individual login. Another technique is to vary the key based on other data within the individual record.
From what I have studied I have seen it recommended that your password encryption should be as complicated as possible, and take as long as you can reasonably require users to wait to build the encrypted value. In most cases, there will be a round trip to your user profile to gather other information used to determine the key, how many hash iterations, what seed to use, etc.
With all the work being performed on password hashing it seems to me that we may not rely any longer on encrypting passwords in SQL Server. Anything we do in SQL Server will be simplistic and of little value against a real hacker. It will simply keep honest people honest. It won’t keep the bad guys out. In fact, it seems like there is little you can do to keep the bad guys out indefinitely; you can simply slow them down, and reduce the scope of granted access when a breakthrough occurs.
Here is a link to a good discussion that I think you will find valueable to gether more information for yourself: https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846.
So, how much effort do we put into encryption? Do we dedicate resources to encryption, perhaps even purchasing an encryption appliance? Do we just use simple encryption because motivated hackers are going to get through anyway? How do we isolate the access of an intruder so that a decryption event has limited access? Share your thoughts here or by email to btaylor@sswug.org.
Cheers,
Ben