Everybody has encountered them – complicated password policies that promise high data safety. To fight hackers capital letters, minimum length, numbers and special characters are often required and were, until a few weeks ago, the recommended standard. But are the passwords you use really as safe as you think they are?
The new password security measures at Grape
In collaboration with one of the leading research centres for Information Security SBA Research, we implemented for our Grape customers the newest password security measures. With help of a safe programming interface at every new registration and change of password, it will be checked if the password that you used has been part of a previous data leak.
In the last years, there were quite a few attacks from hackers, where millions of email addresses and passwords became available on the internet. One of those examples is the data breach at LinkedIn or MySpace that affected many users. Only recently a dataset that comprised773 million email addresses and 22 million unique passwords appeared online. The service of “Have I been pwned?” is able to recognize if the password has been leaked before. Grape has integrated this interface for the security of our customers. This way we can ensure that only passwords are being used that haven’t been shared online before and therefore supports the password safety of our Grape customers additionally.
Is this process really safer? How does it work?
Locally we transform your password into a total hash consisting out of 40 characters. It is impossible to determine the original characters of the password out of this hash sum. This way we can ensure that with the check at the interface no sensitive data is spilt.
Only the first five characters from the 40-character hash are sent to the server. Therefore, your password never leaves Grape. The server ‘responds’ with approximately 100 hashes that have the same first five characters and that are already available online. Then we check locally if your password is among those 100 hashes. If there is a match, we suggest using a different password that has not been compromised from a previous data breach. Additionally, at every login, the entered email address is also screened to ensure that the email address has not been leaked in the meantime. These mechanisms ensure the highest security measures for your Grape account.
The service is available for the Grape Cloud, as well as the on-premise solution. For the on-premise solution, however, the server has to be reachable and certain network requirements need to be met. Admins of organisations can also deactivate this interface when required. However, we would advise to not do so.
Definition of Hashing
“A hash function allows one to easily verify that some input data maps to a given hash value, but if the input data is unknown, it is deliberately difficult to reconstruct it (or any equivalent alternatives) by knowing the stored hash value. This is used for assuring integrity of transmitted data, and is the building block for HMACs, which provide message authentication.”