Password Hashing
September 25th, 2024 - Written By CyberLabs
The Use of cryptography in Password Storage
Cryptography is a technique for secure communication when third parties or enemies are present. To make it so that only the intended recipient may view private conversations, technologies must be developed and put to use. Modern cryptography is concerned with several information security characteristics, including authenticity, data integrity, non-repudiation, and data protection. Examples of cryptography applications include chip-based payment cards, military communications, internet transactions, online shopping, password security, and cryptocurrencies.
Hashing is a cryptographic technique that ensures data integrity, message authentication, and digital signature. A cryptographic hash algorithm is usually referred as hash function is made up of mathematical operations. Plain text input is often broken up into blocks of a specific length and given to the hash function to obtain an encrypted or hashed result. It is employed to reduce a lengthy message into a fixed number that can later be utilized as an authentication code. It becomes secure because it develops an irrevocable value. There are several popular hashing methods, such as MD5, SHA-1, SHA-256, SHA-512, SHA-2, SHA-3, and others.
One of the most crucial conditions for information security is authentication. There are numerous ways to authenticate such as PIN, Passwords, and others. Password-based systems are the most popular and widely used kind of authentication because they are simpler to develop than other techniques already in use. Only authorized users can access an information system using password verification. Security protocols are put in place to protect passwords from hackers because of their crucial purpose. A common method for securing passwords is the cryptographic hash function, which uses a compression algorithm to convert plaintext passwords into an unreadable format called “hash.” The database also contains the user’s data and the password’s hash output. When a user tries to log in, the database’s current hash value is compared to the hash value of the supplied password input, and if they match, the access request is approved.
One of the most beneficial components required for data security is hash function, offers digital signature, data integrity, and message authentication. Additionally, it serves as a key building block for cryptographic systems, digital currencies, and secure transactions. This review is on understanding the properties of the Cryptography Hash function and its role in password storage.
What is cryptography?
Cryptography is a field of computer science and mathematics covering techniques to protect the authenticity, integrity, and confidentiality of information. This is achieved through cryptographic algorithms (or primitives) for encryption and decryption, calculation of one-way hashes (cryptographic hash functions), digital signatures, and generation of cryptographically secure random numbers.
Various information security goals can be met via cryptography, for instance
a) Confidentiality: Use of information encryption to safeguard sensitive or important data that is kept or delivered
b) Integrity or Authenticity: Confirming the authenticity or integrity of sent or stored sensitive or important information using digital signatures or message authentication codes.
c)Non-repudiation: Use of cryptographic methods to show whether an event or action occurred or not.
d) Authentication: Seeking access from or conducting business with system users, entities, and resources using cryptographic approaches to verify users and other system entities.
From the above security goals a hash function help in maintaining the integrity and authentication. That’s why it is used in many areas of computing.
Why Hashing is good for password?
By using a secret key, authentication verifies the end-user’s identities. The majority of systems nowadays use single-factor authentication, where the password is matched against the username while it acts as the secret key. Unsecured communication lines make these kinds of systems vulnerable, which is unfortunate. The complexity of the system’s computation and storage has an impact on how resilient it is against attacks. The system’s semantic strength is therefore increased by using sophisticated one-way hash functions (OWHF), which provide offer confidentiality while reducing storage complexity.
A password can be made up of letters, numerals, or special characters. When utilizing ATMs and online banking, passcodes are widely used as PINs (Personal Identification Numbers). There’re many ways to store passwords online. Some are far more secure than others, while others are particularly open to intrusion. Several of the most well-liked methods are listed in the section below.
- Plaintext Password – Storing the password in plain text. This is considered the worst method of storing a password. Hackers can easily compromise the password if the site is hacked.
- Encrypted Password – The password is encrypted using asymmetric encryption, which turns plain text into ciphertext using the secret key and encryption function. Although this approach may appear to be secure at first, it is just as bad and insecure as storing the information exclusively in text form that can be understood. This is so because each user’s secret key is kept in the same database as their passwords.
- Hashed Password – The function of hashing converts the password into a long, random string of letters and digits. Hashing offers the benefit of being irreversible over encryption. There is no algorithm to revert a password to its original form once it has been hashed. To determine which hash corresponds to the one kept on the server, the hacker would have to hash a variety of combinations one at a time. But today’s computers are incredibly quick, making brute force password cracking quite effective.
- Salted Password – An additional input to a one-way process that hashes a password is a salt, which is a random bit. Before putting a new password in a credential store, a fresh salt is produced at random. The output of the cryptographic hash function is then combined with salt and saved in a database along with the password and salt. If the credential store is hacked, hashing offers protection while enabling later authentication. In order to protect against , rainbow table attacks , dictionary attacks, and brute force attacks, salt is used while storing the password.
- Peppering – A password can be made more secure by peppering, a cryptographic procedure that involves adding a secret and random string of characters before it is salted and hashed. Pepper is a series of characters that are added to the password. A password is protected from brute force attacks, password cracking utilizing dictionary tables, and rainbow tables by the pepper, which completely modifies the hash of the password.
Dictionary attacks are different types of attacks that use a dictionary data list as a password via which the message is ascertained by employing every method possible to get past the algorithm and undo the brute force attack. Using a dictionary attack to hash data is substantially faster than using brute force. Comparing the rainbow attack to brute force and dictionary attack, it is thought to be the most accurate. The rainbow attack is a table frequently used to break down and crack reverse password hashing algorithms.
Conclusion
To guarantee the authenticity and integrity of messages, a variety of hash function techniques are utilized. Some, like MD5, SHA-1, SHA-2, and SHA-3, have become the norm. It was discovered that the majority of them are either breakable or inefficient in terms of time. Other algorithms were suggested by researchers as a remedy to this issue. But the issue is that for a hash function to be properly tested it will take years until then it can’t be accepted to be used. Therefore, it can be inferred that it is essential to design and prioritize a hash function that is effective, secure, and satisfies application needs such as data integrity and authenticity. However, by using model techniques like salting and peppering the password can be kept immured from any attacks.