First of all, this article is not only for techies but also for everyone else who wants to know what happens to their passwords. Note that, any time your passwords can be cracked. So, let’s quickly dive into the concepts.
A simple approach of storing passwords is creating a database table and storing the username and passwords for each mapping user. The most basic, but also the least secure, password storage format is clear-text (plain text). But once(plain text) the database is compromised, the attacker could get easy access to the user accounts in the database. For that, passwords were hashed and then stored in the database for security reasons. Let’s dive deeper.
There are lots of definitions to hashing in many websites, but simply Hashing is the process of converting a variable-length text into a fixed-length and more random output string. A hash function is used to generate this output string according to mathematical algorithms. Here the result of the hash function is known as a hash or a message digest.
Hashing is generally used in many applications such as Message Digest, Password hashing, Data structures, Rabin-Karp algorithm etc. Among them, password hashing always takes an important place.
User passwords will be passed through a chosen hashing algorithm that performs a mathematical transformation on it, creating a hash value. This hash value will be represented in any format such as hexadecimal, Base64 etc.
Important Properties of Password Hashing Function
- Hashing is a one-way function (irreversible)
Generally, the message digest/hash value is computed from the original passwords through a hashing function. But when using hashing functions, we must not be able to find the original passwords by looking at the hash value. This property is called irreversible.
So, even if the database is compromised and the attacker got all the hash values for respective usernames, the attacker couldn't be able to obtain the original password from the hash value using the hashing function.
2. Avalanche effect of the hash function.
An important and desirable feature of a good hash function is the non-correlation of input and output. This means that a small change in the input password will have a big impact on the output hash value making it as a more random. This property is called the avalanche effect.
So, an attacker cannot be able to make forecasts about the input if given only the output.
If the hash function does not exhibit the avalanche effect to a certain degree, then it has poor randomization. This may be sufficient to partially or completely crack the algorithm. So, it is not preferable to use those kinds of hash functions.
3. Same input password through the hash function gives the same output hash value.
Hash values obtained through a particular hashing function using the same input passwords will be the same.
Then only, the user can be authenticated when he/she enters the username and password every time.
Whenever the user enters the password with his/her username, the entered password will be hashed with the hash function and the resultant hash value will be checked with the hash value which is stored in the database. Above said property helps in the authentication of users.
Most Common Password Security Attacks
- Brute force attack
A brute force attack or an exhaustive search is a common attack which compares all the hash value of possible combinations of a targeted password until the correct password is discovered.
The brute force attack is time-consuming since it needs to try on all the combinations of the targeted password. Anyhow, it will take a few seconds to crack a weak password without any effort.
That is why users are always expected to use longer and more complex passwords which include all the types of characters. This will increase the combinations of the password which needs to be tried on to crack a password.
Note :- Having usernames, pet names, birth dates, other user related data in the password should be prohibited. While brute forcing, combinations of the above user related data will be tried out initially. This increases the possibility of the password being easily cracked.
2. Rainbow table attack
Rainbow table is a pre-computed table which includes plaintext passwords and the respective hash value according to the hashing algorithm that is being used. These plain text passwords will be the most used passwords by the users.
When a database is compromised, the attacker will compare the password hash of the database and the rainbow table hash value. If anything matches, then the particular plain text password respective to that hash value can be found via the rainbow table.
That is why users were always expected to use random passwords than most commonly using passwords. It decreases the probability of the password being cracked.
Since the table is pre-computed, there will be no need of hashing to be performed after. So that, the time and cost consuming will used only for comparing the password hashes.
So that, Salting was invented as a protection for rainbow table attack.
According to OWASP Guideliness, a salt is a fixed-length cryptographically-strong random value that is added to the input of hash functions to create unique hashes for every input, regardless of the input not being unique. Salt is unique for every user and generally stored in the database along with the hashed password.
Due to the uniqueness of the salt, an attacker has to crack hashes one at a time using respective salts, rather being able to calculate a hash once and compare it against every stored hash. So that there is no use of rainbow tables since the table cannot be pre-computed until the salt is known from the compromised database.
So , the attacker has to try out all the combinations of the targeted password with the salt of the particular user from the compromised database.
Since the salts were unique for every user, the password hash for two same passwords will be different. So that the attacker cannot predict the same password of another user. This makes the life of an attacker even more harder.
Now a days, most of the hashing algorithms use salt as a security measure.
The things need to be considered.
Since the computing power grows up, the time taken to crack a password is decreasing dramatically. So that everyone should have to evolve according to that by taking precautionary measures.
- Password entropy value should be increased by the users. (Using more complex passwords)
- Industries need to use modern hashing algorithms which have high computational time and cost.
1. Password Entropy
Password entropy is the measurement of how random a password and how difficult a password to be cracked. This entropy is based on the set of characters used (Lowercase, Uppercase, Numbers and Symbols) and the length of the password.
The higher entropy passwords were harder to brute-force. Increasing the length of the password or increasing the type of characters being used will increase the password entropy value.
That is why users were expected to use strong password which were longer and more random by having all the types of above mentioned characters.
2. Modern Hashing Algorithms
Nowadays most industries using modern hashing algorithms such as Bcrypt, PBKDF2, and Argon2id. These hashing algorithms have high computational costs, which means that the time taken to hash a single password is comparatively higher than legacy hashing algorithms.
So, it increases the time takes to brute-force a password for an attacker (comparatively consumes more time and cost to crack a password). But the odd side of this is, it takes more time to authenticate the user. So, those modern hashing algorithms should have to be implemented to increase the security without much affecting the user experience.
In some circumstances, it is not possible to use modern hashing algorithms, usually due to the use of legacy language or environments. In that case, legacy hashing algorithms were used.
The most common legacy hashing algorithms which were used earlier are MD5, SHA-1, SHA-2 (SHA-256, SHA-512, etc). These hashing algorithms have low computational cost, which means the time taken to hash a single password is comparatively low when comparing with modern hashing algorithms. Even though user authentication happens real quick, the time taken to crack a password is also comparatively low. That is why it is not preferable in the modern era where computing power grows up.
Examples for popular compromised databases
- 5 million Google passwords leaked. (2014)
Be aware that your passwords should be changed once in 3 months at least.
2. 170 million LinkedIn credentials were leaked. (2012)
Top 20 passwords of LinkedIn users in 2012 (Source:- Leaked Source)
So, you should be aware when choosing your passwords. Beware, you are being watched.