Storing Passwords Safely

Solving Yashira hash challenge 3

Blog Storing Passwords Safely

| 2 min read

Table of contents

Contact us

By the end of the year, we witnessed a huge increase in the amount of attacks that extracted large quantities of personal information, emails and passwords. Even one of the biggest email services, Yahoo, suffered an attack by cyber-criminals and they robbed more than 500000 accounts, in doing so, accessing to everyone’s passwords. One of the most common methods of storing passwords on rest is hashing, it’s a mathematical function that transforms data into a fixed-length value or key that represents the original data.

You can use hashing algorithms to reinforce integrity and also to store passwords, as long as the data never changes. The resulting hash will always be the same. By comparing hashes created at two different times you can determine if the original data is still the same. Passwords are often stored as hashes, when a user creates a new password, the system calculates the hash and stores it. Later, when a user logs-in, the system calculates the hash of the password entered and compare it with the one stored, if it is the same then the person entered the correct password. The most common hashing algorithms are MD5 (Message Digest 5), SHA (Secure Hash Algorithm) and HMAC (Hash-based Message Authentication Code).

However, hashing has a vulnerability, rainbow tables. Which are huge databases of precomputed hashes, and it helps crackers to discover passwords comparing thehash of a stolen password with the database. Some of these tables are bigger that 160 GB in size, and they include hashes for almost every possible combination of characters.

Get started with Fluid Attacks' Ethical Hacking solution right now

Challenge Yashira Hash 3

In this challenge, they give us a hash that needs to be cracked, and then answered it with the password on clear text.

reto

Figure 1. Challenge on Yashira

We could use a rainbow table to crack this hash but it will need a huge database or an algorithm that uses every hash and password to compare. On the contrary, we could use crackstation to do this task. It only needs the hash and the site cracks it with its own database.

crackstation

Figure 2. crackstation hashing solver

It then discovers the clear text password of the hash given, telling us that it is SHA1. It uses colors to indicate if the search was successful, if a partial a partial match was found or if no password was found at all

solved

Figure 3. Solution given by crackstation

To protect against these types of attacks, developers and systems administrators should add security measures additional to hash such as salt. Salting passwords prevent rainbow table attacks adding a set of random data at the end of the password before hashing it. These additional characters add complexity to the password and cause that password attacks that compare hashes to fail. Some of the common methods of salting are Bcrypt and PBKDF2 (Password-Based Key Derivation Function 2).

Table of contents

Share

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Anima Visual on Unsplash

Challenges, threats, and best practices for retailers

Photo by photo nic on Unsplash

Be more secure by increasing trust in your software

Photo by Dmitry Ant on Unsplash

How it works and how it improves your security posture

Photo by The Average Tech Guy on Unsplash

Sophisticated web-based attacks and proactive measures

Photo by Randy Fath on Unsplash

The importance of API security in this app-driven world

Photo by Christina on Unsplash

Protecting your cloud-based apps from cyber threats

Photo by Tech Daily on Unsplash

Details on this trend and related data privacy concerns

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.