It doesn’t look good for Under Armour. The apparel giant and owner of the diet-tracking app MyFitnessPal just suffered one of the biggest data breaches in cybersecurity history, with hackers getting away with information including the usernames, e-mail addresses, and passwords associated with approximately 150 million accounts.
But not all hacks are equally disastrous, and this one could turn out to be less damaging than some other huge leaks thanks to Under Armour’s use of a technology called bcrypt to shield many of the stolen passwords.
To appreciate why bcrypt matters, some background on cryptographic defenses helps. The basic approach to shielding passwords involves “hashing,” which converts them into random strings of characters stored in a database. When someone logs in with a plain-text password, the hashed version of this is checked against the hash of their password retrieved from the database; if there’s a match, access is granted. If hackers break into the database, all they get are the hashes, not the actual passwords.
Hashes aren’t designed to be reversed into plain text, but that doesn’t stop the bad guys from trying. Among the tactics they use are “dictionary attacks,” which involves hashing common passwords and phrases to see if these match the encrypted data that’s been stolen, and “brute-force attacks,” which try every possible combination of characters up to a given length to unravel a hash.
To make hackers’ lives harder, smart defenders often use “salting,” which is crypto-speak for appending randomly generated characters to a plain-text password before it’s hashed. This ensures that no two passwords can have the same hash. While salting is a bane to hackers, they can still try to break individualized ciphers using brute-force and dictionary attacks.
That’s where bcrypt comes in. In addition to using salting, it extends the amount of time it takes to run a hash function by requiring multiple rounds of computation to get to a result. “It’s deliberately designed to be colossally slow,” explains Paul Kocher, senior technology advisor at Rambus and a well-known cryptography expert.
“Slow” here is still measured in milliseconds, so the impact on the user’s experience of logging into an app or site is barely noticeable. But even very small delays can frustrate hackers using high-end computer hardware to try to run through billions of hashes a second. Technologies like bcrypt give businesses more time to respond to a breach, and users more time to change their passwords. Under Armour was smart to use bcrypt, though why it didn’t apply it to all of the passwords associated with MyFitnessApp remains a mystery. (The ones not covered by it were protected using a weaker hashing function known as SHA-1.)
The fact that bcrypt can only delay hackers, not thwart them altogether, means it’s still really important to change passwords fast if you’re notified that a service you use has been breached, and to avoid using the same password across multiple applications. It’s also why it pays to use hard-to-guess passwords rather than common ones that can be quickly unpicked by hash-cracking hackers.
AI-powered 6G networks will reshape digital interactions
The convergence of AI and communication technologies will create 6G networks that make hyperconnectivity and immersive experiences an everyday reality for consumers.
The power of green computing
Sustainable computing practices have the power to both infuse operational efficiencies and greatly reduce energy consumption, says Jen Huffstetler, chief product sustainability officer at Intel.
Using data, AI, and cloud to transform real estate
AI can enable business transformation to deliver positive outcomes for clients and propel sustainability goals, according to Sandeep Davé, chief digital and technology officer at CBRE.
How this Turing Award–winning researcher became a legendary academic advisor
Theoretical computer scientist Manuel Blum has guided generations of graduate students into fruitful careers in the field.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.