One of the most important tasks a web developer may have is creating a secure user account system. Your users need to know that their passwords will be protected and not hacked. However, as hackers never sleep and are constantly finding new ways to exploit weaknesses in your system, you need to find a good way to protect your user’s passwords.
Luckily, such a way exists already and it is called hash & salted passwords. This method successfully keeps your password private & secret so even we do not know it. Your password is your decryption passphrase so protecting this passphrase is critical. If a site offers “End to End Encryption” but has your passphrase, they can decrypt all your emails.
In this article, I will explain what H&S passwords are and how they work to protect your user accounts.
How Does Password Hashing Work?
A hash algorithm is a one-way function. Basically, what it does is alter data into a fixed length fingerprint. This fingerprint is not reversible and matches only one input. So, if the input is changed just a bit, the fingerprint will not match.
For example, if we input “post”, the hash may look like this”:
However, if we change just one letter and type “poss”, the hash might look like this:
Which, as you can clearly see is completely different and the system will therefore reject this as a wrong password.
How are users registered and authenticated when their passwords are hashed?
- First, the user creates and account, let’s say user name Bob, password AquaVitae.
- Next, the password is hashed and the website stores only the hashed password in their database. In other words, even if the hackers force their way into the database, they would see a string of letters and numbers like the ones above and not the actual password, “AquaVitae”. The unencrypted password is not stored in the database.
- Now every time Bob wants to login in, he types in “AquaVitae” and the system recognizes that the hashes match and lets him in. However, if they don’t (Bob types in “AquaVitaa”), the system rejects his login as invalid.
So why do we hash passwords? I’m sure you’ve heard many times of this website or that one being hacked and attackers making off with all the user names and passwords. When those passwords are hashed, the chance for them to find out what the real password (what the user inputs) is significantly lower.
That still doesn’t mean it’s impossible to crack hashed passwords, so let’s take a look at how hackers do this next:
How Attackers Crack Hashed Passwords?
Unfortunately, it is possible to crack a hashed password. Here are a few ways how this can be done:
- Lookup Tables
What’s done here is that the hacker first pre-computes password hashes using a password dictionary. These he then stores along with the matching password in a lookup table data structure. Keep in mind that a lookup table can often process several hundred hash lookups in a second, so this is a very fast and effective method for cracking hash passwords.
- Reverse Lookup Tables
With the lookup tables approach, the hacker will spend the majority of his time pre-computing the table. However, in a reverse lookup tables approach, he can circumvent this by using a brute force or a dictionary attack. This allows him to attack many hashes at the same time. This method is very effective if more users use the same password (which is unfortunately often the case).
In this case, the hacker creates a lookup table and maps password hashes from a user account database to a list of users with that hash. Next, they hash each password guess and looks for a list of users from the lookup table to find which password matches the hacker’s guess.
- Brute Force Attack
A brute force attack is a rather unsophisticated method, but often does the trick for attackers. What it does is simply tries every possible character combo up to a certain length.
Good news is that this approach takes a long time, so having a strong password, with a combination of letters, numbers and other characters should do the trick against it. Just don’t use abcd or something like that as a password and you’ll be fine.
- Dictionary Attack
Some “brilliant” users use common words and phrases like “blue” or “password” as their password. There’s nothing easier than for a hacker to crack these using a dictionary attack.
A Pinch of Salt
The reason why lookup tables are effective is because each password will be hashed the same way. What this means is that, if we have two users and they use the same password (for instance husband and wife), their password hashes will be exactly the same.
By adding “salt”, which is a random string added just before or after the hash, we can randomize their hashes so the two users now have different hash passwords.
When salting passwords, the way we check if it is a correct one that the user enters, the website needs to store the salt in the user account database, together with the hash.
Passwords are the keys that allow your users to enter and use your website. But more than that, it is a sign that the user trusts you with their security. For this reason, you need to do everything you can to keep their passwords secure and out of hacker’s reach. The best way to do so is by using hash & salt passwords that CTemplar employs.