Password Hashing

Learning Objectives

• Understand the impact of insecure password storage
• Understand the properties of a hash function
• Implement secure hashing of passwords using your programming language

Lesson

Imagine if we held user's passwords in plaintext. What risks do you think this could cause?

If personal information is compromised, organisations could face very large fines under the European General Data Protection Regulation (GDPR) and suffer serious damage to its repretation - listen to this video to hear about one recent example.

To avoid storing passwords in plaintext, we hash them with a cryptographic algorithm. Hashing is a one-way function, meaning we cannot determine the original password from its hash.

Regardless of the length of the password, the hashing algorithm will return a hash of a fixed length:

Properties of a hashing algorithm:

• Computationally impossible to calculate the original message from the hash (one-way)
• If you change the message, the hash changes
• Regardless of the length of the message, the hash is always a fixed length

Imagine that 2 users have the same password. As an added level of security, we want to ensure that we generate a different hash for each user. How is this possible?

We can use a "salt". A salt is a random string adding to the message prior to hashing. The presence of a salt makes password hashing more secure as it forces an attacker to attack one password at a time.

Hashing functions are not only used for passwords, they are used to:

• Verify whether or not content has changed
  • Git uses hashes to determine if a file has been modified
• To speed up database searches

Password Hashing Algorithms

There are a number of hashing algorithms such as:

• MD5
• SHA
• BCrypt

MD5 and SHA are not considered secure for password storage.

Bcrypt is considered secure as it enforces the use of a salt and is computationally expensive hence slow to brute force. Refer to the Open Web Application Security Project Password Storage Cheat Sheet for details of other secure hashing algorithms.

Assignment

1. Use the bcrypt (or another secure hashing algorithm) library for your programming language to generate hashes of some demo user passwords.

2. Add the usernames and associated hashed passwords to a database.

3. Write code to compare a plaintext password against a hash in the database.

4. Commit your code to GitHub and notify your coach that this assignment is complete.

Assignment extension tasks

Explain how a password cracker could be used to brute-force guess the plaintext version of a set of dictionary word passwords which have been MD5 or SHA (non-salted) hashed.

Note that you must never try to crack passwords in the real world, this assignment is an exercise just to demonstrate the importance of using strong passwords and secure hashing algorithms!

Additional resources