While building a secure signin framework, We tend to use hashing, double hashing and hashing using multiple algorithms, assuming that the above techniques can make the process of cracking a password slower. That is not really true!
We need to bear in mind that,
Some very simple techniques can make cracking passwords extremely difficult. One of them which I'd like to highlight again is salting. It is simple to implement and difficult for the attacker to guess.
"Salting of Passwords" is a simple yet powerful technique in which a random string is prepended / appended to the password and hashed. This makes each password unique after hashing as well. Unless the salt value is known to the attacker and the salt is long enough brute force or look-up tables would also not be helpful in cracking passwords.
It is important to understand that the salt must always be unique per user per password.
If two users have the same passwords they would not be getting computed to the same hashes after adding the salt. Salting must be practiced correctly in combination with the right algorithm. Some algorithms are weak and can cause hashing collisions which means two strings generating the same hash.
In the case of salting,
Saving the password to the database
The salt value should be different for every change of password.
Validating the password
I have found a link that could be of good use to those who want to understand this technique better with code level details and faqs.
https://crackstation.net/hashing-security.htm
We need to bear in mind that,
- Cracking of passwords is not done by brute force always.
- There are algorithms which guess the password with the use of special dedicated harware and pre-computed list of common passwords which keeps growing.
- The GPUs and hardware available now can compute billions of hashes per second.
Some very simple techniques can make cracking passwords extremely difficult. One of them which I'd like to highlight again is salting. It is simple to implement and difficult for the attacker to guess.
"Salting of Passwords" is a simple yet powerful technique in which a random string is prepended / appended to the password and hashed. This makes each password unique after hashing as well. Unless the salt value is known to the attacker and the salt is long enough brute force or look-up tables would also not be helpful in cracking passwords.
It is important to understand that the salt must always be unique per user per password.
If two users have the same passwords they would not be getting computed to the same hashes after adding the salt. Salting must be practiced correctly in combination with the right algorithm. Some algorithms are weak and can cause hashing collisions which means two strings generating the same hash.
In the case of salting,
Saving the password to the database
- Once the user keys in the password, hash it.
- Generate the unique salt value.
- Save the hashed password and the salt value in the database.
The salt value should be different for every change of password.
Validating the password
- Hash the password keyed in by the user at the time of sign in. The algorithm used for hashing must be the same as used while saving the password.
- Retrieve the value from the database for the keyed in username and hashed password.
- Pre-pend or Append the salt value and hash it. Please note, it is not mandatory that the salt value must be pre-pended or appended. It is up to the developer. The logic for retrieval and save has to use the same technique.
- If the values match, the authentication is successful.
I have found a link that could be of good use to those who want to understand this technique better with code level details and faqs.
https://crackstation.net/hashing-security.htm
No comments:
Post a Comment