Justin A. Parr - Technologist

Technology, Strategy, Insights, and Tech Support

  • HOME
  • Quick Facts
  • CygUlarn Win32
  • About Me

The Importance of Hashing Passwords

Posted by Justin A. Parr on February 14, 2014
Posted in: Analyses and Responses. 3 comments

Overview

The Adobe 2013 data breach, in which about 40 million account user names and other details were disclosed, as well as other data breaches in which cleartext passwords are disclosed, underscores the need for password hashing, as opposed to cleartext or encryption.

Adobe Data Breach:
http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/

Cupid Media Data Breach:
http://krebsonsecurity.com/2013/11/cupid-media-hack-exposed-42m-passwords/

EDIT: 5/30/2014
Add eBay to the list:
http://www.forbes.com/sites/gordonkelly/2014/05/21/ebay-suffers-massive-security-breach-all-users-must-their-change-passwords/

Encryption is reversible, where hashing is not.

Table of Contents

  • Overview
  • What is Hashing?
    • Hashing
    • Key points – Hashing
    • Secure Hashing
  • What is Encryption?
    • Encryption
    • Key points – Encryption
    • Hashing vs. Encryption
  • Authentication with Cleartext Passwords
    • Overview of cleartext authentication:
    • Risks
  • Authentication with Encrypted Passwords
    • Overview of Encrypted Authentication:
    • Advantages over cleartext
    • Risks:
  • Authentication with Hashed Passwords
    • Overview of Hashed Authentication:
    • Advantages
  • What Else Can Hashing Do?
  • Summary

 

What is Hashing?

Hashing

Hashing uses an algorithm to scramble data in a deterministic way, but the process is not reversible.  For a given piece of information, such as a password, hashing will produce the same hash code each time, for the same password.  The hashing process can’t be reversed – meaning that a stolen hash code can’t be turned back in to the original password.

Hashing is like using a cross-cut paper shredder for your data.  During the hashing process, most of the data is removed, and the resulting hash code is both unique, and very small compared to the original data.

Hashing Passwords_Hash

Because data is removed, and the hashing process is so complex, it can’t be reversed — you can’t start with a hash code and derive the original data.  This means that hashing is a “one way” process.

Hashing Passwords_Not Reversible

Changing the data ever so slightly results in a completely different hash code.

Hashing Passwords_Hashes are Unique

When used to hash passwords, each unique password results in a unique hash.

Hashing Passwords_Unique

Sample hashes:

Source SHA-1 Hash
Password:
12345
8cb2237d0679ca88db6464eac60da96345513964
Password:
12346
94ae0a96d83a445d72a93417b63ac90d79db5eca
Password:
thisismyreallylongpassword
a04f5424328d9b7b7a4d8ce8e0ebf99ffe610c42
Contents of File: c:\windows\explorer.exe
(Approximately 2.8 MB)
7a0fd90576e08807bde2cc57bcf9854bbce05fe3

 

Key points – Hashing

  • Hashing is a one-way process
  • A specific source password will always yield the same hash using the same algorithm, regardless of which system performs the hash (hash codes are persistent and portable).
  • Minor changes to the source can result in a significantly different hash code.
  • Hash codes are the same length regardless of the length of the source data – you can hash a password, a sentence, an e-mail, or a whole file.  The resulting hash codes will be the same length, and are guaranteed to be unique.

Here is a website with an online hash generator:
http://www.sha1-online.com/

Secure Hashing

Using brute-force attacks and lookup tables called “rainbow tables”, it is possible to successfully attack weaker hash algorithms, such that you can reverse engineer an initial value that results in the desired hash value.

Early hash algorithms were used to insure data integrity, such as CRC and CRC32.  Later, cryptographic hashing algorithms were used to ensure message and sender authenticity — as time progresses and computing power increases, older algorithms are no longer considered cryptographically-secure.

File Integrity Cryptographically-secure No longer secure
 CRC
CRC32
Odd/Even (very old)
CKSUM
MD-2
MD-4
 SHA-1*
SHA-256
SHA-2
MD-2
MD-4
MD-5

(*SHA-1 is still considered cryptographically-secure, but is being deprecated in favor of SHA-2)

Hash collisions can occur when different data values result in the same hash code.  Although highly unlikely, hash collisions usually occur with arbitrarily short input data values, for example only a few bytes in length.

Hashing Passwords_Hash Collision

Like rainbow tables, hash collisions can be exploited as an attack against the hash algorithm itself, to try to determine a source data value that would be equivalent for a given hash code.

These types of analyses require immense computing resources.  Due to Moore’s Law, newer, more complex hash algorithms must be developed, and older algorithms are deprecated, to stay ahead of the cat-and-mouse game between attackers and their would-be targets.

 

What is Encryption?

Encryption

Encryption uses a cipher (encryption algorithm) to scramble data.  The cipher uses a key, which is an arbitrary value such as a password, that can later be used to decrypt the data using the same cipher.   If viewing the data while encrypted, it appears to be random garbage.  This is known as the encryption envelope.

Encryption2

Key points – Encryption

  • Encryption uses a cipher (encryption algorithm) and a key to scramble data.
  • To decrypt the data  (reverse the encryption process), you must have the cipher and key.
  • Attempting to decrypt with the wrong key results in unusable garbage

 

Hashing vs. Encryption

On the surface, hashing and encryption seem very similar, but there are some distinct differences that make one or the other more suitable in various situations.

  • Hashing removes data, where encryption scrambles data.
  • Hashing is one-way, where encryption is reversible.
  • Hashing only uses the data itself as input, where encryption requires the input data plus an encryption key that is later used to decrypt the data.
  • Hash codes are a fixed length, regardless of the amount of input data.  Encrypted data is the same size as the input data, or slightly larger (due to encryption overhead).
  • Hashing is geared toward ensuring the integrity of a process, while encryption allows data to be protected in such a way that it can be accessed later.
  • Message authenticity uses both hashing and encryption to ensure that a sender is who they claim to be.

 

Authentication with Cleartext Passwords

As previously mentioned, storing passwords in cleartext (meaning, not hashed, not encyrpted) means that a compromised database results in an attacker having full knowledge of the passwords.  Users have bad habits, like using the same password for multiple websites, meaning, YOUR WEBSITE could be the reason that someone’s bank account or e-mail becomes compromised!

Overview of cleartext authentication:

  1. User account is created, and credentials (username, password) are stored in the database
  2. To log in, the user enters their username (u1) and password (p1) in to the application
  3. The application uses the u1 username to look up the password (p2) from the database
  4. If the two passwords match (p1 = p2) then the user is authenticated.

Risks

  • Passwords stored in the database can be retrieved from the database and used elsewhere
  • Passwords stored in the database might be stored in cleartext on disk, depending on the database and file format used by the application.
  • Passwords stored in cleartext on disk could be physically compromised by stealing the hard drive(s) containing the data.

 

Authentication with Encrypted Passwords

Encryption is a good way to protect data that will be used later.  Encrypted data can later be decrypted to its original value.  Although encrypting passwords protects them, typically, an application uses the same encryption key for storing all user passwords.  Using the same encryption key for multiple arbitrarily short values gives an attacker the method to potentially compromise the cipher or derive the encryption key, resulting in the passwords eventually being decrypted by the attacker.

Overview of Encrypted Authentication:

  1. When the user account is created, the username is stored directly in the database.
  2. The password is encrypted using a well-known encryption key, and the encrypted password (e2) is stored in the database.
  3. To log in, the user enters their username (u1) and password (p1) in to the application.
  4. The application uses the u1 username to look up the encrypted password e2.
  5. The application decrypts e2 and extracts the original password (p2).
  6. If the two passwords match  (p1 = p2), then the user is authenticated.

Advantages over cleartext

  • Passwords are stored in the database and on disk in an encrypted format.
  • If the database or drives are compromised, an attacker will have to commit significant effort to decrypt them.
  • Passwords can’t be arbitrarily compromised by an attacker reading the database (e.g. SQL injection)

Risks:

  • The application must use a well-known encryption scheme, including a well-known key.  Coupled with passwords being arbitrarily short values, this could provide a basis for attacking the encryption scheme or deriving the key.
  • The application itself could be attacked and analyzed to determine the key.  Attackers could obtain the application binaries, steal the source code, or compromise a running system (such as a buffer overrun).

 

Authentication with Hashed Passwords

Hashing removes the password completely, leaving nothing available to be compromised.

Overview of Hashed Authentication:

  1. When the user account is created, the username is stored in the database.
  2. The password is hashed (h2), and the hash code h2 is stored in the database.
  3. When the user logs in, they enter the username (u1) and password (p1).
  4. The application immediately hashes the password p1  in to hash code  h1.
  5. The application uses the u1 username to look up the password hash code h2 from the database.
  6. If the two hash codes match (h1=h2), then the user is authenticated.

Advantages

  • Hashed passwords can’t be reversed, stolen, or compromised.
  • There is no well-known encryption scheme or key that can be exploited.
  • A hash code is useless!  A stolen hash code can’t be used elsewhere.

 

What Else Can Hashing Do?

Hashing can be used for a variety of situations, where a data value (such as credentials) are well-known, but there isn’t a need to access the cleartext data itself — the data can simply be removed, and the hash code can be used in its place.

  • Username.  Aside from compromised passwords, privilege escalation is also a risk.  Hashing the username prevents an attacker with access to the database from modifying application privileges, because the attacker won’t know which user record to update.
  • Social Security Number (SSN).  The GLB and HIPA acts specify certain levels of protection (security, privacy) for the SSN.  For most uses, the SSN is used as an index (for tracking purposes) and could be removed (replaced with a hash code).  If your application interfaces with other systems requiring the cleartext SSN, the cleartext value could be stored in a more secure, limited-access database whose sole purpose is to match the hash codes to the cleartext SSN.  By reducing the places within your application (data footprint) where SSN is used in cleartext, you reduce the opportunity that an attacker could intercept it!
  • Other sensitive fields that are ONLY used for verification (such as date of birth) can be hashed.
  • Answers to security questions, if properly normalized, could be hashed, preventing an attacker from gaining knowledge of the user that can be used to exploit another system.
  • Federation.  If two systems contain the same sensitive data, they can simply exchange hash values, without needing the underlying data.  The exchange itself can be protected by a 2nd round of hashing, so that the password hash doesn’t become a skeleton key.
  • Salt can be used to convolute source data prior to hashing, in order to prevent brute-force attacks.  Since the hash algorithm is well-known, the attacker can throw random data through the hash algorithm in order to obtain a valid hash value (cracking).  Using salt means an attacker must use a much wider range of source values — for example, dictionary attacks are useless because salting ensures that no source value would ever be in the dictionary.

 

Summary

Secure hashing is the proper way to protect passwords, and can be used to protect other data fields as well.

Hashing can also be used to securely share files!  For more information, please review my paper, here:
A method for securely sharing files

 

 

 

Posts navigation

← The Lost Art of the Ribbon Cable
You know you need coffee when →

3 comments on “The Importance of Hashing Passwords”

  1. Pingback: The Credit Card Industry’s Dirty Secret | Justin A. Parr - Technologist

  2. Pingback: Password Commandments | Justin A. Parr - Technologist

  3. Pingback: Technology-Related Movie Myths | Justin A. Parr - Technologist

Leave a Reply Cancel reply

You must be logged in to post a comment.

  • Search!

  • Temperature at Casa de Parr

  • Recent Posts

    • Excel – Number of Sundays – A better Answer
    • Cache Busting using Javascript
    • Javascript Calculator
    • Gatetrilogy Saga: The Front Gate Part III, The Final Gate Opener
    • The Dangers of Old Code – A Cautionary Tale
    • Quantum Chicken Joke
    • Calculate the Dimensions of a TV or Monitor
    • MORE Things to Check Before You Buy A House
    • Travel Tech and Tips – 2023
    • Ranged (Inequality) Searches On Encrypted Data
  • Topics

    • Analyses and Responses (27)
    • Good Design – Bad Design (33)
    • IT Management (1)
    • Justinisms (8)
    • Main Page (1)
    • Math and Science (30)
    • Other Stuff (38)
    • Quick Facts (7)
    • Rants (17)
    • Tech Support (61)
      • Food and Cooking (10)
      • Tech Recommendations (12)
      • Tech Tip (7)
      • Wordpress Stuff (3)
      • Zen Cart Stuff (1)
    • The Light Side (37)
  • Links

    Log in or Register to post comments

    RSS Feed
    https://justinparrtech.com/JustinParr-Tech/feed

    View my LinkedIn Profile
    http://www.linkedin.com/in/justinparr

    About Me
    Justin A. Parr

    Who is Jill Parr
    Find out here.

  • Older Posts

    • February 2025 (1)
    • August 2024 (1)
    • May 2023 (1)
    • April 2023 (3)
    • January 2023 (1)
    • December 2022 (2)
    • November 2022 (2)
    • September 2022 (1)
    • August 2022 (3)
    • June 2022 (2)
    • March 2022 (1)
    • January 2022 (2)
    • December 2021 (1)
    • July 2021 (1)
    • May 2021 (1)
    • March 2021 (1)
    • February 2021 (2)
    • November 2020 (4)
    • October 2020 (1)
    • September 2020 (1)
    • August 2020 (1)
    • July 2020 (1)
    • June 2020 (1)
    • May 2020 (2)
    • April 2020 (1)
    • March 2020 (8)
    • February 2020 (2)
    • January 2020 (1)
    • November 2019 (2)
    • August 2019 (3)
    • July 2019 (1)
    • June 2019 (1)
    • April 2019 (1)
    • February 2019 (3)
    • January 2019 (1)
    • December 2018 (1)
    • November 2018 (1)
    • October 2018 (2)
    • September 2018 (1)
    • August 2018 (2)
    • July 2018 (1)
    • June 2018 (1)
    • April 2018 (1)
    • February 2018 (2)
    • January 2018 (2)
    • December 2017 (1)
    • November 2017 (2)
    • August 2017 (2)
    • July 2017 (1)
    • March 2017 (1)
    • February 2017 (2)
    • January 2017 (1)
    • December 2016 (5)
    • November 2016 (3)
    • September 2016 (5)
    • August 2016 (2)
    • April 2016 (1)
    • March 2016 (3)
    • February 2016 (2)
    • January 2016 (7)
    • December 2015 (3)
    • November 2015 (1)
    • October 2015 (3)
    • August 2015 (5)
    • July 2015 (3)
    • June 2015 (2)
    • May 2015 (4)
    • April 2015 (4)
    • March 2015 (3)
    • February 2015 (4)
    • January 2015 (8)
    • December 2014 (8)
    • September 2014 (1)
    • August 2014 (1)
    • July 2014 (2)
    • June 2014 (4)
    • May 2014 (1)
    • April 2014 (2)
    • March 2014 (3)
    • February 2014 (5)
    • January 2014 (1)
    • December 2013 (2)
    • October 2013 (2)
    • July 2013 (3)
    • April 2013 (1)
    • October 2010 (1)
    • August 2010 (1)
    • July 2009 (1)
    • April 2009 (1)
    • November 2008 (1)
    • October 2008 (1)
    • September 2008 (1)
    • May 2008 (1)
    • March 2008 (1)
    • January 2008 (1)
    • June 2005 (1)
    • May 2005 (4)
Proudly powered by WordPress Theme: Parament by Automattic.