Storing Passwords Safely

Solving Yashira hash challenge 3

solution Storing Passwords Safely

January 2, 2017

By the end of the year, we witnessed a huge increase in the amount of attacks that extracted large quantities of personal information, emails and passwords. Even one of the biggest email services, Yahoo, suffered an attack by cyber-criminals and they robbed more than 500000 accounts, in doing so, accessing to everyone’s passwords. One of the most common methods of storing passwords on rest is hashing, it’s a mathematical function that transforms data into a fixed-length value or key that represents the original data.

You can use hashing algorithms to reinforce integrity and also to store passwords, as long as the data never changes. The resulting hash will always be the same. By comparing hashes created at two different times you can determine if the original data is still the same. Passwords are often stored as hashes, when a user creates a new password, the system calculates the hash and stores it. Later, when a user logs-in, the system calculates the hash of the password entered and compare it with the one stored, if it is the same then the person entered the correct password. The most common hashing algorithms are MD5 (Message Digest 5), SHA (Secure Hash Algorithm) and HMAC (Hash-based Message Authentication Code).

However, hashing has a vulnerability, rainbow tables. Which are huge databases of precomputed hashes, and it helps crackers to discover passwords comparing thehash of a stolen password with the database. Some of these tables are bigger that 160 GB in size, and they include hashes for almost every possible combination of characters.

Challenge Yashira Hash 3

In this challenge, they give us a hash that needs to be cracked, and then answered it with the password on clear text.


Figure 1. Challenge on Yashira

We could use a rainbow table to crack this hash but it will need a huge database or an algorithm that uses every hash and password to compare. On the contrary, we could use crackstation to do this task. It only needs the hash and the site cracks it with its own database.


Figure 2. crackstation hashing solver

It then discovers the clear text password of the hash given, telling us that it is SHA1. It uses colors to indicate if the search was successful, if a partial a partial match was found or if no password was found at all


Figure 3. Solution given by crackstation

To protect against these types of attacks, developers and systems administrators should add security measures additional to hash such as salt. Salting passwords prevent rainbow table attacks adding a set of random data at the end of the password before hashing it. These additional characters add complexity to the password and cause that password attacks that compare hashes to fail. Some of the common methods of salting are Bcrypt and PBKDF2 (Password-Based Key Derivation Function 2).


Subscribe to our blog

Sign up for Fluid Attacks’ weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Saketh Upadhya on Unsplash

Get an overview of vulnerability assessment

Photo by Anchor Lee on Unsplash

Benefits of continuous over point-in-time pentesting

Photo by Nik Shuliahin on Unsplash

For which security standards is pentesting a must-have?

Photo by Thomas Griggs on Unsplash

Pentesting is a system-agnostic approach to security

Photo by Dmitry Ratushny on Unsplash

Differences between these security testing approaches

Photo by Kostiantyn Li on Unsplash

Our CLI is an approved AST tool to secure cloud apps

Photo by Jeff Lemond on Unsplash

How BAS solutions work, their importance and benefits

Photo by Hunters Race on Unsplash

Disclosure rules proposed by SEC may soon take effect

Start your 21-day free trial

Discover benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial