Many websites reported earlier in the week that Vudu, a video-streaming company that’s owned by Walmart, reported a data breach. Furthermore, Vudu recommended that users of the service reset their passwords, especially if their passwords are reused on other online sites. These are usually the words of a company that was hacked online, such as with a SQL injection attack.
With Vudu, however, it’s different: burglars broke into the Santa Clara, California-based company on March 24, 2013 and stole computer hard drives. The data breach was limited by practicing adequate security, although the hard drives were not protected with the likes of full disk encryption such as AlertBoot. This goes to show the need for proper data security on all devices, including smartphones, tablets, and laptops. The threat is not just virtual.
Customer Data Compromised
Vudu revealed that the stolen drives contained the following information: customer names, email addresses, physical mailing addresses, Vudu account activity, dates of birth, the last four digits of credit cards, and “encrypted passwords.”
Despite all the things that Vudu did correctly, it fell flat in one area: it didn’t notify clients until two weeks after the break-in. In their FAQ, Vudu clarifies that they needed to “reconstruct the information” and that “law enforcement requested that [Vudu] delay notification.”
I include quotes for “encrypted passwords” because they’re probably not encrypted as much as they are hashed.
What’s the difference, you may ask?
Encrypted Passwords Generally Not Encrypted
Generally, “encrypted passwords” are not really encrypted. If they were, they wouldn’t be easy to guess or figure out. Indeed, it’s the reason why devices like iPhones, iPads, and Android smartphones all use disk encryption. The use of encryption makes it virtually impossible to gain unauthorized access to the data in the devices (and, thus, is one of the core aspects of AlertBoot’s mobile device management and security solution, although users of AlertBoot can manage many different aspects associated with mobile security to suit their needs).
Whereas the implication here, with Vudu strongly urging password changes, is that the passwords could be guessed, meaning that the passwords were hashed. A “hash” is when a password is passed through an algorithm and comes out looking nothing like its input. Sounds like encryption, except for two things:
- You can’t convert a hash back to its original input (with encryption, you can).
- There’s a 1-to-1 correlation between the input and the hashed output. So, if the password is “blue” and the hashed output is “920jf3no23nfoiwjfc9sjvasjd293r2,” then the hashed output will always be “920jf3no23nfoiwjfc9sjvasjd293r2” for “blue” with no exceptions.
You don’t need a ridiculous amount of foresight to see how this could be an Achilles heel: all you need to crack the security is to prepare a list of inputs and outputs, and compare hashed passwords to this list. This is why if you’re hashing passwords you also need salt them: include random characters so that the output becomes different.
For example, “blue,” “blue1,” and “blue11” will all lead to extremely different outputs. Make your salt unique and keep it a secret and, the theory goes, your passwords will be safe. Not a bad theory, but the real world has a way of throwing a wrench in the works.
The problem is that different users often use the same password. You’ve seen the lists of words that shouldn’t be employed as passwords because they’re so commonly used: “password,” “God,” “12345,” and “love”, among others. Not only can you count on these popular passwords to show up on hashed password lists, if you total them up, they tend to be in the top 20.
For example, let’s say that you’re trying to identify two hashed passwords, 8nuv89ybt7rc32rp9824 and AF23o9fasDSf0sjwfe. You know one of them is “love” and the other is “theQu1ck8” but you don’t know which one is which. But, 8nuv89ybt7rc32rp9824 shows up 500 times and AF23o9fasDSf0sjwfe shows up once. Obviously the former corresponds to “love.”
Encryption: Nothing Compares
Unlike hashes, encryption uses unique “encryption keys” to convert data. What are the odds of two encryption keys being identical? Lower than the odds of your body spontaneously combusting right now. The only way to “guess” an encryption key is brute force it; that is, go through every single one of them until you find it. According to some calculations, the universe will be a cold, homogeneous mush devoid of entropy before that happens.
That’s some pretty powerful stuff. You don’t want to be caught without backing up individual encryption keys, then, or finding out that you can’t find the right one to unlock a device. Encryption key management is one of the most harrowing aspects of ensuring good data security, (and is infinitely made easier via the use of AlertBoot).
Related Articles and Sites: