Storing Passwords Safely

Solving Yashira hash challenge 3

Blog Storing Passwords Safely

| 2 min read

Table of contents

Contact us

By the end of the year, we witnessed a huge increase in the amount of attacks that extracted large quantities of personal information, emails and passwords. Even one of the biggest email services, Yahoo, suffered an attack by cyber-criminals and they robbed more than 500000 accounts, in doing so, accessing to everyone’s passwords. One of the most common methods of storing passwords on rest is hashing, it’s a mathematical function that transforms data into a fixed-length value or key that represents the original data.

You can use hashing algorithms to reinforce integrity and also to store passwords, as long as the data never changes. The resulting hash will always be the same. By comparing hashes created at two different times you can determine if the original data is still the same. Passwords are often stored as hashes, when a user creates a new password, the system calculates the hash and stores it. Later, when a user logs-in, the system calculates the hash of the password entered and compare it with the one stored, if it is the same then the person entered the correct password. The most common hashing algorithms are MD5 (Message Digest 5), SHA (Secure Hash Algorithm) and HMAC (Hash-based Message Authentication Code).

However, hashing has a vulnerability, rainbow tables. Which are huge databases of precomputed hashes, and it helps crackers to discover passwords comparing thehash of a stolen password with the database. Some of these tables are bigger that 160 GB in size, and they include hashes for almost every possible combination of characters.

Get started with Fluid Attacks' Ethical Hacking solution right now

Challenge Yashira Hash 3

In this challenge, they give us a hash that needs to be cracked, and then answered it with the password on clear text.


Figure 1. Challenge on Yashira

We could use a rainbow table to crack this hash but it will need a huge database or an algorithm that uses every hash and password to compare. On the contrary, we could use crackstation to do this task. It only needs the hash and the site cracks it with its own database.


Figure 2. crackstation hashing solver

It then discovers the clear text password of the hash given, telling us that it is SHA1. It uses colors to indicate if the search was successful, if a partial a partial match was found or if no password was found at all


Figure 3. Solution given by crackstation

To protect against these types of attacks, developers and systems administrators should add security measures additional to hash such as salt. Salting passwords prevent rainbow table attacks adding a set of random data at the end of the password before hashing it. These additional characters add complexity to the password and cause that password attacks that compare hashes to fail. Some of the common methods of salting are Bcrypt and PBKDF2 (Password-Based Key Derivation Function 2).

Table of contents


Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Jasmin Egger on Unsplash

If the essential security layer is flawed, you're toast

Photo by Christian Wiediger on Unsplash

The need to enhance security within the fintech sector

Photo by Claudio Schwarz on Unsplash

Is your financial service as secure as you think?

Photo by mitchell kavan on Unsplash

Bringing the zero trust model to life

Photo by Brian Kelly on Unsplash

We need you, but we can't give you any money

Photo by Sean Pollock on Unsplash

Data breaches that left their mark on time

Photo by Roy Muz on Unsplash

Lessons learned from black swans

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.