If you followed the news last week, you likely heard about the crowd-funding platform Kickstarter and a breach that exposed user account details.
How does a high-profile site suffer such an incident? TelecomsTech spoke with an internet security expert to explain the mechanics and implications.
Our expert is Nick Hatter, who has experience identifying and explaining security risks.
Hatter explains that while Kickstarter and many sites store passwords using hash functions, those systems can be less secure than people expect—especially given the growing availability of powerful computing resources.
He offers a simple example: if a password is “password,” its SHA-1 (Secure Hash Algorithm-1) hash would be 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8.
“If I were trying to crack a password,” Hatter says, “I would run the SHA-1 algorithm over a large list of dictionary words. With enough computing power, you can do it.”
More robust approaches like quantum-based cryptography, which rely on measuring the properties of changing photons, can offer stronger protection, but those technologies are not widely deployed for routine web authentication.
Is there a practical way to substantially improve security for hash-based systems? Not perfectly, but Hatter recommends measures that can significantly slow attackers.
“One effective technique is to add a ‘salt’ to the hash,” he explains. “When computing a stored value for a password, you might use sha1(password + salt).”
Using a unique salt per user increases the work required to break hashed passwords. Attackers would have to brute-force the hash separately for each account because each hash incorporates a different salt. That’s far more time-consuming than cracking unsalted hashes in bulk.
If an attacker obtains only the hashed passwords but not the salts, cracking becomes much harder—provided salts are kept secret. Fortunately, Kickstarter confirmed it uses salts in its password storage, a practice many websites still do not follow. Salting helps, but it is not a guarantee of invulnerability.
A further risk for end users is that even hashed passwords can be reversed if the hash appears in databases used by reverse-hash lookup services. Hatter demonstrated this by looking up an example hash.
He entered the hash b70629d36f3cf2fcd224c012bc7b7cb58ad96e76, which returned the plaintext “coolbeans12.”
If that is your password, you should change it immediately and avoid using the same password across multiple sites.
Part of the email Kickstarter sent to affected users reiterated basic precautions and guidance.
Update 1: Nick reminds users and developers of core security fundamentals:
1. Keep all systems and software patched and up to date.
2. Make security a central part of design. For example, Nick’s startup GiftGaming uses the Lift framework, which is designed to mitigate common OWASP Top 10 vulnerabilities like XSS, injection, and CSRF.
3. Never trust input from users—validate and sanitize everything.
4. Consider security beyond just the application and server—think about physical security and operational practices as well.
(All views expressed are Nick Hatter’s own and do not represent his former employers or associates.)
What do you think about the Kickstarter breach and the security advice presented here?
Nick is currently promoting his in-game advertising startup, GiftGaming.