Understanding the Importance of Password Hashing in Cyber-Security
Most developers know that you should store sensitive data only in an encrypted form, but what they don’t know is the right way to do it. Asymmetric and symmetric encryption are both options, but these two cryptography options leave your database data susceptible to brute force attacks. The alternative and safer way to store passwords is using a hashing algorithm.
An Overview of Asymmetric and Symmetric Encryption
The most commonly known encryption algorithms are asymmetric or symmetric. These two standards use keys to encrypt and decrypt data. Keys are created using a password created by the user. The password is used each time a user wants to decrypt data, and keys are used to encrypt data.
Asymmetric encryption uses a private-public key pair. If you’ve ever used PGP messaging, this is a good example of asymmetric encryption. When the user creates a private key using a password, a public key is created too. The public key is distributed to anyone who wants to send this user a message. Only the owner of the private key can unlock a message encrypted with the user’s public key. For this reason, a private key should always be kept safe and stored in a secure location. A sender gets a public key for a recipient, encrypts a message with the public key and sends it to the recipient of the private key. The recipient uses a private key to decrypt the message.
Symmetric encryption also uses a private key, but the same private key is used to encrypt the data as well as decrypt it. This means that the sender and the recipient must have the private key, which makes it inefficient for public communication. Symmetric encryption standards work for local processes where data is encrypted and decrypted on the same machine by software such as a database engine.
Asymmetric is more widely used than symmetric, because you can encrypt data using a recipient’s public key and post it publicly on the Internet. A message cannot be decrypted unless the reader has the private key, so it’s safe unless it’s using old, cracked cryptography standards. The latest standards use 256-bit encryption, which would take an attacker billions of brute force “guesses” before the key is cracked.
A common use for asymmetric encryption is HTTPS. When you connect to a web server that uses HTTPS, your computer encrypts data using the server’s public key. The message is sent to the web server and decrypted by the domain’s private key. This procedure is how sensitive data sent across the Internet is protected from eavesdroppers. These “man in the middle (MitM)” attacks are common on public Wi-Fi where users browse the Internet generally unaware of the others also connected to the network. With a MitM attack, an attacker steals data transferred across the network by retrieve user data, transmitting to the web server, and then returning data from the server. The user is unaware that data is being collected on the attacker’s machine, so there is no indication that an attack is taking place.
With HTTPS, an attacker can eavesdrop on communication but would be unable to decrypt messages unless the private key is cracked. Attackers often collect data from a Wi-fi hotspot and take it home to run brute force attack tools on data. If the encryption algorithm is poor, the private key can be cracked eventually. All private keys can be cracked eventually, but good encryption can mean the difference between a few hours and a few years. After several years, encryption algorithms are hardened more due to increased computing power that reduces the time for brute force attacks to work.
With asymmetric and symmetric encryption, an attacker always has the option to collect data and run brute force procedures that eventually crack the code. These encryption standards have a way of being decrypted, so it’s a two-way system. With hashing, encryption is one-way and much more difficult to crack.
Common symmetric encryption algorithms include DES, 3DES, and AES. The most common asymmetric method is RSA.
With one-way hashing, you cannot reverse the process and decrypt a message. Data is encrypted and transformed into a hash value. The only way to verify the message behind the hash is to encrypt the same message and compare values. If even one character is different, the hashed value will not be identical. This is the way modern hashing of passwords stored on a database are used to protect user information.
When you create an account on a web server, sites that use one-way hashing take the value and hash it using their own secret key. The hash is then stored in a database where it cannot be decrypted. The next time you log into a website, the password you enter is hashed using the same key and compared to the stored password value. If the value is the same, the software sees that you entered the correct password. If values are different, you entered a wrong password and you’re prompted to try again.
There is one more step in a properly hashed password — using a salt. A salt is a random value combined with the actual value to create the hash. It hardens the security of the hash against brute force hacking attempts. Should an attacker gain access to hashed passwords, they can’t just use dictionary terms and brute force “guesses” to determine the value. The attacker would also need the salt to brute force password hashes. Since a salt is a string of random characters, an attacker would need to run billions of brute force attempts on a hashed password before determining its value.
Common hashing algorithms include MD5 and SHA-1, but both suffer from collision attacks. SHA256 and SHA3 have been introduced and are good replacements.
Always Store Password Hashes in a Database
When working with online forms, always use one-way hashes with salt values to store passwords. Database attacks are common (mainly using SQL injection), and attackers go for passwords and other sensitive data. By storing password hashes, an attacker would need years to crack the salt and the key to unlock password values. This is done by hashing values and comparing them to the stored values. Although the process isn’t impossible, it takes billions of iterations before a value can be unlocked.
Encryption algorithms also have rate limits baked into their code. It takes longer to decrypt values using certain algorithms, and this technique is used to slow down attackers. By the time the password is cracked, users are already warned and passwords reset. This type of cyber security protects users, their information, and the company reputation.