After the news claiming a hacker has stolen the account details of 17 million registered users of India's largest restaurant search and discovery service, Zomato, broke, the company issued a statement saying it uses a foolproof way to store passwords.
"Although the users' names and email addresses were accessed, the security with which Zomato stores passwords means that they are still secure. The passwords are hashed and salted," the company said. The hashed version "can't be converted back to the original password", the blog post further said.
When Troy Hunt, an Australian security expert, questioned Zomato's claim that "the hashed password cannot be converted/decrypted back to plain text – so the sanctity of your password is intact in case you use the same password for other services," the company updated its blog, saying:
"We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text," Zomato said.
Unless you're doing something very unusual @Zomato, this is very misleading and you should consider revising it https://t.co/c3MJlEfRAj pic.twitter.com/bMUNmo9A49
— Troy Hunt (@troyhunt) May 18, 2017
So does it mean that hackers cannot crack Zomato users' passwords because they are hashed and salted?
Not necessarily as it depends a lot on the type of hashing Zomato has used.
What is password hashing?
When cyber-criminals hack into a company and get access to users' passwords, they generally end up with data in a form that's not readable by humans. These passwords are mathematically transformed into a scrambled representation of themselves, including cryptographic hashes and random-looking strings of characters. This particular password makeover is called "hashing."
It may take years for a hacker to decipher the original password, or just a few hours to access confidential information, depending on the type of hashing involved.
And don't be surprised if major tech companies make the mistake of deploying a weak hash.
LinkedIn suffered a security breach in 2012, and four years later a 177 million user accounts were up for sale on a hacker site in May 2016. The company reportedly used a relatively weaker hashing function sans extra protections, allowing hackers to easily crack the stolen passwords.
Hackers keep guessing
After hackers steal passwords hashes, they simply run guessed passwords through a hash-cracking programme. When a password matches a hash, they know they have found the right password.
So, when hackers get a hash-cracking programme running on a large database of hashed passwords, it keeps on guessing millions or billions of possible passwords and compares the results with stolen hashed passwords until matches are found.
To improve their guessing, hackers have also developed something called "rainbow tables" that include lists of pre-computed hashes for every possible password. They have also been using collections of known passwords from past hacks as well as statistical analyses of those passwords to make their guessing faster.
Salting makes hash-cracking slower
To stop pre-computation of hashed passwords and slow down hash-cracking, security experts now use a technique called "salting," which adds a random, unique string of characters to a user's password before it is hashed. The process increases the randomness of a password.
Salting, therefore, makes a hacker's task much more difficult, but it doesn't necessarily prevent a determined attacker from cracking a password. In fact, hackers have special tools at their disposal for cracking large amounts of salted password hashes.
The Zomato hacking incident came to light after a security blog called Hackread reported that a vendor going by the online handle of "nclay" had hacked Zomato, and put the stolen data up for sale on the dark web for $1,001.43 (BTC 0.5587).
Zomato, which claims over 120 million user visits every month, had previously been hacked by an Indian ethical hacker named Anand Prakash, who pointed out a critical security flaw in Zomato's data recall system and later informed the company about it.