I used to assume that if I hashed a password, it was essentially bulletproof. This was great — a one-way programming language that hackers couldn't even read. Then, Plex was hacked, and I learned that hashing wasn't good enough.
So what happened? And what can we take away? Let's not over-complicate matters.
However, the hackers were not required to crack every hash. They were able to find other weaknesses in the Plex system to cause pain for customers, and the hashing was insufficient. Hashing will protect the passwords stored on the site or application, but it does not protect you possibly from everything else.
Below are the reasons hashes by themselves can fail:
• Weak passwords – It can still be easily guessed, even if the hashing method is strong.
• Poor setup — If the salts (additional random data attached to the password) are not used, or reused, it makes it easier for a hacker.
• Password reuse — If you are using the same password on other sites, if there is a leak at one site, it will expose everything you use the same password for.
• Device leaks — Hackers can also pilfer login tokens, emails, or hints that aid them in bypassing passwords.
In short: hashing is good—but it is not everything.
So what happened? And what can we take away? Let's not over-complicate matters.
The Plex Incident
Plex was a well-known media streaming platform that got hacked and was left compromised. The hackers were able to access the database of hashed passwords — and Plex made the assumption that hashed passwords were safe due to being hashed with bcrypt despite the fact they hacked their organization.However, the hackers were not required to crack every hash. They were able to find other weaknesses in the Plex system to cause pain for customers, and the hashing was insufficient. Hashing will protect the passwords stored on the site or application, but it does not protect you possibly from everything else.
Why Hashes Alone Can Fail
Consider hashes the same way you would treat your password to a shredder. Once you put your password through a shredder, you know that reconstructing the hashed shreds would be challenging, but not impossible if you know how the shredder pattern.Below are the reasons hashes by themselves can fail:
• Weak passwords – It can still be easily guessed, even if the hashing method is strong.
• Poor setup — If the salts (additional random data attached to the password) are not used, or reused, it makes it easier for a hacker.
• Password reuse — If you are using the same password on other sites, if there is a leak at one site, it will expose everything you use the same password for.
• Device leaks — Hackers can also pilfer login tokens, emails, or hints that aid them in bypassing passwords.
In short: hashing is good—but it is not everything.
Advancing Default Security
Want more security? Hash that password and add a few more steps:- Use a different salt for each password — which either way makes it a lot harder to guess.
- Use rate limiting — don't allow too many failed access attempts.
- Use Two-Factor authentication (2FA) — to add another layer of security.
- Use a strong unique password (stay with it, and not a short or common password).