nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

nist

NIST’s Retirement of SHA-1: The Clock is Ticking

Introduction
The National Institute of Standards and Technology (NIST) has announced that the SHA-1 algorithm, one of the first widely used methods of protecting electronic information, has reached the end of its useful life. This algorithm, which has been in use since 1995 as part of the Federal Information Processing Standard (FIPS) 180-1, is a slightly modified version of SHA, the first hash function the federal government standardized for widespread use in 1993. As today’s increasingly powerful computers are able to attack the algorithm, NIST has announced that SHA-1 should be phased out by December 31, 2030, in favor of the more secure SHA-2 and SHA-3 groups of algorithms.

Importance of SHA-1
SHA-1, whose initials stand for “secure hash algorithm,” has served as a building block for many security applications such as validating websites, SSL certificates and digital signatures. It secures information by performing a complex mathematical operation on the characters of a message, producing a short string of characters known as a hash. It is impossible to reconstruct the original message from the hash alone, but knowing the hash provides an easy way for a recipient to check whether the original message has been compromised, as even a slight change to the message alters the resulting hash dramatically. However, today’s more powerful computers can create fraudulent messages that result in the same hash as the original, potentially compromising the authentic message. These “collision” attacks have been used to undermine the security of SHA-1 in recent years.

Recommendations
At nGuard, we recommend that organizations still using SHA-1 for security conduct a thorough network and database assessment to identify and address vulnerabilities. Our team of experts can assist with this transition by identifying any instances of SHA-1 usage and recommend a migration plan. Additionally, our web application testing can also lead to the discovery of data hashed with SHA-1, further highlighting the need for an upgrade.

Conclusion
In conclusion, SHA-1 has reached the end of its life, and organizations should consider migrating to the more secure SHA-2 or SHA-3 algorithms as soon as possible. It is important to note that NIST will stop using SHA-1 in its last remaining specified protocols by Dec. 31, 2030. And by that date, NIST plans to:

  • Publish FIPS 180-5 (a revision of FIPS 180) to remove the SHA-1 specification.
  • Revise SP 800-131A and other affected NIST publications to reflect the planned withdrawal of SHA-1.
  • Create and publish a transition strategy for validating cryptographic modules and algorithms.

As a result, modules that still use SHA-1 after 2030 will not be permitted for purchase by the federal government. Companies have eight years to submit updated modules that no longer use SHA-1. Because there is often a backlog of submissions before a deadline, we recommend that developers submit their updated modules well in advance, so that The Cryptographic Module Validation Program (CMVP) has time to respond.

Password Guidelines You Need To Know

Conventional wisdom says passwords should be longer than 8 characters, they should contain complexity with upper case, lower case, numbers, and symbols, and Rotating passwords periodically is crucial to prevent them from being compromised. Consider rethinking your password requirements if this is still how you instruct your employees. In this security advisory, nGuard will lay out the password requirements you should be utilizing for employees.

Entropy is defined as “a measure of the amount of uncertainty an attacker faces to determine the value of a secret.” Traditionally, it was believed that entropy could be increased by requiring users to change their passwords frequently and by increasing the complexity of passwords. We now know that this is not the case. Length alone can provide password entropy at any level. Furthermore, if you change your passwords numerous times a year, you may find it difficult to remember passwords with high levels of complexity. Let’s take a look at some examples:

Password: nGu@rd2022!

This is an 11-character password with a high level of complexity. According to security.org, it would take a computer about 400 years to crack this password using brute force methodology. Engineers at nGuard say this password has a high probability of being cracked very quickly. It uses the company name with some common substitutions such as the “@” instead of the “a.” It also uses the current year, which is common among companies that force password changes on a regular basis.

Password: nGuard is a leading provider of security

This is a 40-character password with a low level of complexity. According to security.org, it would take a computer about 88 septendecillion years to crack this password using brute force methodology. Septendecillion is a 1 followed by 54 zeros. That’s a lot! The length of this password makes it more difficult to crack, but it is easier to remember and type out. Passwords like this won’t need to be changed unless they become compromised through social engineering or some form of clear-text password compromise.

In order to avoid forcing users to reset their password on a regular basis, nGuard recommends using password phrases like the example above. Set up alerts to notify IT when a specific account experiences too many failed login attempts. Additionally, limit the number of failed login attempts allowed within a certain time frame. With nGuard’s Managed Event Collection & Correlation (MECC) service, these types of things can be monitored. For an organization to maintain a strong password posture, that’s all you need to do. Your organization’s password security posture will be at the forefront of the industry if you do all of this and implement multi-factor authentication if possible.

Following the implementation of a strong password policy, nGuard can provide a variety of services to make sure you’re on the right path. Password Database Audits allow you to test the strength of your passwords against industry leading password crackers. By performing an internal penetration test, you can make sure that passwords are not being stored on machines in a way that makes them insecure (for instance, in plaintext).