The speed hit is well worth it from a security standpoint, though. "The vast majority of developers think they're both types of hashes." SHA-1 requires less computing resources devoted to implementing and managing a hashing scheme, making it an appealing option-especially if you don't understand the tradeoff you're making. "Bcrypt is designed to be extremely slow and SHA-1 is designed to be extremely fast," says Kenneth White, director of the Open Crypto Audit Project. As a result, even when hashed passwords leak they are still protected. When implemented properly, this cryptographic process makes it incredibly resource and time-consuming for attackers to attempt to "crack" the passwords and revert them to their useful form-after bcrypt hashing, a strong password can take decades to break, if not longer.
Under Armour also said that it had used the well-regarded password hashing function "bcrypt" to convert most of the passwords it stored into chaotic, unintelligible assortments of characters.
That's laudably fast remember, Uber took over a year to fess up to its data-theft woes. And the company says that the breach occurred in late February and was discovered on March 25, meaning it did a public disclosure in under a week. The intrusion only exposed usernames, email addresses, and passwords, indicating that Under Armour's systems were at least segmented enough to protect the crown jewels-like birthdays, location information, or credit card numbers-from being scooped up. On that front, the Under Armor hack incident contains some (relatively) good news.
Given how many high-profile data breaches have caused significant damage over the years, it's critical for companies that hold sensitive data to build their systems in ways that limit the potential fallout. But it turns out Under Armour only sort of got things right.
Of course, it's never good when personal data ends up online, much less that of so many people, but it seemed like Under Armour had at least taken reasonable precautions. When Under Armour announced that its nutrition app MyFitnessPal had suffered a data breach impacting the information of roughly 150 million users, things actually didn't seem so bad.
0 kommentar(er)
