In an FAQ posted Thursday following news of a security breach in which 500 million user accounts were compromised, Yahoo covered the basics: what sorts of information hackers stole, what to do next. And then there’s a bunch of information on the measures Yahoo takes to secure passwords. That technology can come across as gobbledygook, and that’s certainly the case on the Yahoo webpage.
There are different ways websites can store your password, so when you come back and enter that password again, they know it’s you. If you walked away from that FAQ wondering what the heck hashing, b-crypt and salting mean, here you go.
Hashing is a tight form of encryption. So if you have a secret conversion code — say, a=1, b=2, “You secure the data in a way that somebody can’t just steal your conversion table and suddenly reverse-engineer all the data,” Fred Cate, cybersecurity professor at Indiana University said.
Hashing data is just a way to obscure what it says.
B-crypt is a type of hashing. Think of it as the next level of security. It basically converts the data to something random again and again. The next level is salting. “And salting,” Cate said, “is where as part of the encryption process you add other irrelevant data.”
It’s jumbling up stuff even more, which is good for when people use common words in their passwords. The downside: “It’s computationally resource intensive is the way we would put it,” Cate said.
In other words, this makes your computer’s head hurt, and it might take it a little longer. Cate said Yahoo wants security, but it also doesn’t want to frustrate its users by having them wait every time they sign in, adding that some users find even a few extra seconds annoying.
But not everyone’s password gets this level of security. Yahoo said it uses bcrypt on “the vast majority” of hashed passwords. Amber Steel, product marketing manager with LastPass, a password manager, said the number of users with lower-level password protection can be big. “Now, even if only 5 or 10 percent haven’t been, I mean that’s still a huge number when you’re talking about 500 million accounts being affected,” she said.
A Yahoo spokesperson emailed this statement: “We shared as much specificity in our press release and Tumblr as possible, including using the words b-crypt and hashed password, since those terms are important to understanding the potential effects of the theft. While these terms may be unfamiliar to some, knowing that your password was b-crypt protected and hashed informs a user that it would still require the adversary considerable expertise and resources to use it. We defined b-crypt and hashed password in our FAQ page for those who want more information.”