I loved this blog by “No Bugs” Hare about Password Hashing and thought it's a great read for developers. Read it and enjoy! Here are some of the main highlights I took away ...
- What is hashing? It's a one-way transformation. It's NOT encryption. You cannot decrypt a hashed password if done correctly.
- Why do it? If an attacker gains access to your password table, you want to prevent him from gaining access to all user passwords.
- Can hashing be done wrong? If it's simple hashing, an attacker can create a dictionary of all possible passwords (or at least the most common) and do a lookup to see if any of your users have those passwords.
- What is salt? If my password is 'abc' and so is yours, salt will make the hash different. Thus dictionaries aren't helpful now because the password 'abc' can become many different hashes.
- Can a salted hashed database be cracked? Yes, if an attacker gets your database and has all your hashes and salts, he can take it to his lab and still try to guess every possibility for that salt.
- What makes offline cracking harder? There are 2 answers mathematically speaking. Long passwords. Slow hash functions. The amount of time to do an offline brute force increases based on those factors.
Also, don't forget that even if you properly hash and salt your password database, an attacker can get a password from other methods. Make sure passwords are passed over encrypted protocols (like HTTPS) at all times so they can't be sniffed out. Implement a strong password recovery solution so that an attacker can't just reset or recover a password. Implement employee training to educate them against phishing and credential harvesting attacks.
And of course you've heard that passwords may not be the way of the future. A better solution is perhaps something like 2-Factor authentication that requires 2 things to login such as a password & a token from your iphone.
More about neonprimetime
Top Blogs of all-time
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.