Lack of Encryption Knowledge Feeding Hackers
Article date: Tue, 18 Oct 2011 17:20 GMT
Small businesses are leaving customer data open to hackers - despite encrypting databases - allowing even long passwords to be cracked in as little as 7 seconds.
Testing by hosting specialist UKFast has revealed that using industry-standard hashing algorithm MD5 to protect data still allows for a seven character password (of lower alphabet and numbers) to be cracked in 7 seconds. Using a more secure encryption method such as SHA 256, it would take up to seven times longer to brute force crack the same password.
The tests call into question the security of customer data stored by SMEs, who often do not have the luxury of in-house IT teams or the technical knowledge to properly secure their customer databases.
Neil Lathwood, technical director at UKFast, explained: "Many small companies are trying to protect their customer data on their own or outsourcing their IT and relying on the skills of another company to secure their customer data. What these companies may not be aware of is that some methods of encryption are significantly less secure than others.
"With the emergence of brute force password cracking using Graphics Processing Units (GPUs) for extra fire power, the need for strong encryption algorithms has become more important than ever. The MD5 algorithm is so weak that no one should be using it as their only encryption method - a normal PC without the extra GPU fire power could even crack the MD5 code."
Despite the many different encryption algorithms available for SMEs to use, with this method of brute force cracking and the extra boost of the GPUs, no encryption is complete secure. Making it as difficult as possible to crack information is the key.
Lathwood said: "Using an encryption method like SHA256 rather than MD5 would still allow the hacker to decrypt the information but it takes significantly longer. For example, a seven character password (of any digit, letter or symbol) would take 1 hour, 40 minutes to crack when encrypted with MD5 but would take 12 hours, 53 minutes when encrypted with the SHA256 method.
"It is also possible to 'salt' encrypted information where random figures are added, making it more difficult to crack the code.
"Businesses that encrypt their own data or outsource their IT must ensure that they are aware of what encryption is used and how safe their customer data is. Relying on the expertise of others is often the best method for smaller companies but they must stop burying their head in the sand over data security - if their database is hacked it is their reputation on the line and many businesses are oblivious to the chances that they are taking not by properly protecting their data."
print this article.Return to Press Releases