We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

  • ZDNet
  • Connectivity

    Smart cryptography may help limit the damage from the MyFitnessPal megabreach

    The fitness app uses a technology called bcrypt that will give the hackers a serious headache.

    It doesn’t look good for Under Armour. The apparel giant and owner of the diet-tracking app MyFitnessPal just suffered one of the biggest data breaches in cybersecurity history, with hackers getting away with information including the usernames, e-mail addresses, and passwords associated with approximately 150 million accounts.

    But not all hacks are equally disastrous, and this one could turn out to be less damaging than some other huge leaks thanks to Under Armour’s use of a technology called bcrypt to shield many of the stolen passwords.

    To appreciate why bcrypt matters, some background on cryptographic defenses helps. The basic approach to shielding passwords involves “hashing,” which converts them into random strings of characters stored in a database. When someone logs in with a plain-text password, the hashed version of this is checked against the hash of their password retrieved from the database; if there’s a match, access is granted. If hackers break into the database, all they get are the hashes, not the actual passwords.

    Hashes aren’t designed to be reversed into plain text, but that doesn’t stop the bad guys from trying. Among the tactics they use are “dictionary attacks,” which involves hashing common passwords and phrases to see if these match the encrypted data that’s been stolen, and “brute-force attacks,” which try every possible combination of characters up to a given length to unravel a hash.

    To make hackers’ lives harder, smart defenders often use “salting,” which is crypto-speak for appending randomly generated characters to a plain-text password before it’s hashed. This ensures that no two passwords can have the same hash. While salting is a bane to hackers, they can still try to break individualized ciphers using brute-force and dictionary attacks.

    That’s where bcrypt comes in. In addition to using salting, it extends the amount of time it takes to run a hash function by requiring multiple rounds of computation to get to a result. “It’s deliberately designed to be colossally slow,” explains Paul Kocher, senior technology advisor at Rambus and a well-known cryptography expert.

    “Slow” here is still measured in milliseconds, so the impact on the user’s experience of logging into an app or site is barely noticeable. But even very small delays can frustrate hackers using high-end computer hardware to try to run through billions of hashes a second. Technologies like bcrypt give businesses more time to respond to a breach, and users more time to change their passwords. Under Armour was smart to use bcrypt, though why it didn’t apply it to all of the passwords associated with MyFitnessApp remains a mystery. (The ones not covered by it were protected using a weaker hashing function known as SHA-1.)

    The fact that bcrypt can only delay hackers, not thwart them altogether, means it’s still really important to change passwords fast if you’re notified that a service you use has been breached, and to avoid using the same password across multiple applications. It’s also why it pays to use hard-to-guess passwords rather than common ones that can be quickly unpicked by hash-cracking hackers.

    Keep up with the latest in cybersecurity at EmTech Digital.

    The Countdown has begun.
    March 25-26, 2019
    San Francisco, CA

    Register now
    More from Connectivity

    What it means to be constantly connected with each other and vast sources of information.

    Want more award-winning journalism? Subscribe to Print + All Access Digital.
    • Print + All Access Digital {! insider.prices.print_digital !}*

      {! insider.display.menuOptionsLabel !}

      The best of MIT Technology Review in print and online, plus unlimited access to our online archive, an ad-free web experience, discounts to MIT Technology Review events, and The Download delivered to your email in-box each weekday.

      See details+

      12-month subscription

      Unlimited access to all our daily online news and feature stories

      6 bi-monthly issues of print + digital magazine

      10% discount to MIT Technology Review events

      Access to entire PDF magazine archive dating back to 1899

      Ad-free website experience

      The Download: newsletter delivery each weekday to your inbox

      The MIT Technology Review App

    You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.