Protect Your IP: Hashing Your Passwords
The legal system provides civil litigation as a means for vindicating IP rights that have been violated. But the best protection may lie in avoiding problems at the outset. Preventative self-help, you could call it.
Passwords are a first line of defense for protecting intangibles—whether trade secrets, copyrighted materials or pre-patent information. Recently there’s been a spate of stories about password security breaches: LinkedIn, Yahoo Voices, others. Even well-known computer security companies, like RSA, are vulnerable to data breaches.
So it’s worth asking, how are passwords protected in the computers that store them? The manner used in some programs provides no protection at all. Some hosts store the password file as clear text:
This was apparently how Yahoo Voices stored its users’ passwords. This method is not very secure. If someone gets the file containing the passwords, they have the passwords.
A better and more common approach is to encrypt the passwords. Instead of storing my password “Hometown2000,” the host can store what’s called a hash-value of the password.
A hash is a mathematical function that takes in one piece of data (say, a password) and outputs some number or value of a fixed length. Here’s one I just made up:
|Hash Function Input||Hash Function Output|
This hash function is very basic. If the input is odd, the output is 101; if the input’s even, the output of the hash function is 201. Note one thing about this hash—if you know the input you can know the output. But, if you know the output, you don’t know the input; you would know whether the input’s even or odd, but that’s it.
Hashes can be a lot more complex. And hashes used for cryptography need to be. A more complex hash used in cryptography is called MD5. (Since its creation, flaws have been found in MD5 that make it unsuitable for use in cryptography.)
MD5 isn’t just used in cryptography. It’s also used in e-discovery and digital forensics. See U.S. v. Crist, 627 F. Supp. 2d 575 (M.D. Pa. 2008); Sanders v. State, 191 S.W.3d 272 (Tex. Ct. App. 2006).
How does something like MD5 improve password-storage security? Instead of having a computer store the cleartext of a password, a host can instead allows a host to store the hashed value of the password than the password itself:
|User||MD5 of Password (in base 16)|
In this table above, I’ve calculated the MD5 value for each password from my initial table using this handy, free on-line calculator. You can try calculating MD5 hash values yourself at that website, but don’t use your real password.
Tables like this one are why, for some websites, you must reset your password instead of simply having your old password sent to you. The website can’t send you your password because it doesn’t have your password—it only has the hash-function output of your password. Note that even though Katy, Mike, and I have nearly identical passwords, the hash values of our passwords are radically different.
Now, if an attacker gets a copy of this password file, he won’t have the passwords; he’ll only have the output of the hash function after it takes each password as input. This file would be much harder to use.
If you want to read more about MD5 encryption, check out U.S. Pat. No. 6,035,398, it’s one of the older patents I found that has claims involving the MD5 algorithm.