News & Commentary
6/4/2014
12:00 PM
Michael Coates
Michael Coates
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Safely Storing User Passwords: Hashing vs. Encrypting

Securing user information begins with a proper understanding of security controls and the protection of user passwords using modern hashing algorithms. Here's a quick review of the fundamentals.

Over the past several months, we've seen major breaches exposing numerous usernames and passwords. The eBay and Adobe breaches impacted millions of accounts. Snapchat was compromised. With every password breach comes the inevitable question: Were the passwords stored securely? Unfortunately, this simple question is not simply answered.

Though hashing and encryption both provide valuable capabilities, for the vast majority of situations, there is only one right option for storing user passwords for an online application: hashing. This is a one-way function in which a hashed value cannot be reversed to obtain the original input value (i.e., the password). Symmetric encryption is based on the use of an encryption key and is a reversible operation. Anyone possessing the key can decrypt an encrypted value to obtain the original value.

Table 1: Differences Between Hashing and Symmetric Encryption

Hashing Symmetric Encryption
One-way function Reversible Operation
Invertible Operation? No, Yes,
For modern hashing algorithms it is not easy to reverse the hash value to obtain the original input value Symmetric encryption is designed to allow anyone with access to the encryption key to decrypt and obtain the original input value
*See note below on rainbow tables, salts, etc.
Other considerations ·         Hashing algorithm selection ·         Encryption algorithm selection
·         Per User Salt ·         Protection of key
·         Computational difficulty

How does the application authenticate a user with a password hash?
When the application receives a username and password from a user, it performs the hashing operation on the password and compares the resulting hashed value with the password hash stored in the database for the particular user. If the two hashes are an exact match, the user provided a valid username and password.

The benefit of hashing is that the application never needs to store the clear text password. It stores only the hashed value.

Is all hashing created equal?
No. In fact, hashing algorithms can be very different, and not all are appropriate for password storage.

Speed and iterative hashing algorithms
This may be a bit counterintuitive, but older hashing algorithms are too fast. Attackers may not be able to reverse a hashed value to obtain the original input, but they could perform a brute force attack that hashes numerous possible password inputs and checks if they match any of the stolen hashes.

To combat this threat, modern hashing algorithms can perform multiple iterations. This introduces a minor delay for a single hashing operation, but this small delay becomes massive if an attacker is performing a brute force attack. Consequently, iterative hashing algorithms make brute force attacks unrealistic, since they would require hundreds of years or more to complete.

Table 2: Without Salts

User Password Resulting Hash
Joe password123 xyfkdl323...
Sue password123 xyfkdl323...

Table 3: With Salts

User Password Salt Resulting Hash
Joe password123 48a023jl2... ied390fl2...
Sue password123 9fh3ls321... 40akdl23...

Does account lockout have any impact on the security model of password storage?
In short, no. The goal of securely storing passwords is to provide additional defense in the event the password file is ever stolen.

Attacks against password hashes are offline attacks. This means the attackers have already stolen the password file and are using their own computer to attempt various password combinations to find a hash in the stolen password hash file. Since this is an offline attack, controls such as account lockout or captchas provide no value. Those controls are valid only for online attacks against the login page of a running web server.

What are the risks of using symmetric encryption instead of hashing?
By design, symmetric encryption is a reversible operation. This means that the encryption key must be accessible to the application and will be used for every password verification.

If the encrypted passwords are stolen, the attackers only need to determine the symmetric key used by the application. Once that key becomes known, through a breach or through brute force attacks on a weak key, all passwords are instantly decrypted and accessible. This is not a good place to be.

Moral of the story
To store user passwords safely, it is critical to understand the differences between symmetric encryption and hashing. Algorithms such as PBKDF2, bcrypt, and scrypt all utilize per user salts and iterative hashing capabilities to store passwords securely.

The Internet and web applications will become even more important parts of everyday life as they are trusted with increasingly sensitive information. It is imperative that developers and application owners ensure they are doing everything they can to secure user information. This starts with a proper understanding of fundamental security controls and the protection of user passwords using modern hashing algorithms.

Michael Coates is the Chairman of the OWASP board, an international non-profit organization focused on advancing and evangelizing the field of application security. In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack-aware applications ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TejGandhi1986
50%
50%
TejGandhi1986,
User Rank: Apprentice
6/13/2014 | 9:01:50 PM
Preventing the password file from getting stolen
Thanks for the article,itis very informative and provide details on the foundations related to hashing and encryption.

Considering different chain of thoughts ,along with encryption and hashing that is used to secure passwords it is essential that the password file is well protected SAM file in windows and etc/shadow or etc/passwd file in Linux access must be restricted with multiple layers of defense to prevent it from getting stolen.

Thanks

Tej Gandhi

 
MichaelCoates
100%
0%
MichaelCoates,
User Rank: Author
6/12/2014 | 4:16:00 PM
Re: Good overview
Good question. The stolen database would indeed include the salts. However, exposure of random per-user salts does not undermine their purpose and security benefits.

There are two benefits to using per-user salts

1. When using per-user salts an attacker cannot simply review the stolen password hash databse for duplicate hashes (which would indicate the same original password for both accounts). The introduction of a per-user salt ensures that even the same password will result in unique hashes.

2. An attacker cannot download a rainbow table and use it against the password hashes. A rainbow table is a large database of precomputed hashes for a variety of common passwords (or even all possible passwords of certain character sets and lengths). Without per-user salts an attacker could do a simple lookup of the stolen hash within the rainbow table to determine the original password. The introduction of per-user salts means the rainbow table is useless.


Sure, an attacker could incorporate the salt into a brute force attack. But the purpose of a salt isn't to stop brute force. It's to accomplish the two items mentioned above (duplicate hashes and rainbow tables). As I mentioned in the article, the iterative hashing approach that exists in bcrypt/scrypt/PBKDF2 is the defense against brute force attacks on the password hash.

 

Hope that helps.

Michael

 
chiefwilson
50%
50%
chiefwilson,
User Rank: Apprentice
6/11/2014 | 9:57:04 PM
Re: Good overview
Michael,

Thank you for a well-written article. I agree that hashing passwords with added salt provides far greater security than simply encrypting passwords. My question is simple: If a malicious actor steals a database of password hashes, won't this database include the salts as well, thereby nullifying the purpose of the salt, which is to defend against brute force dictionary and rainbow table attacks?
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 2:51:46 PM
Re: Good overview
Thanks, Michael. One of the things I've been hearing about more and more is that personal information has become much more valuable a target for cybercrime than, for example credit cards. If that's the case, then your message about hashing versus encryption is one that InfoSec pros should definitely take to heart. 
MichaelCoates
100%
0%
MichaelCoates,
User Rank: Author
6/4/2014 | 1:02:50 PM
Re: Good overview
The largest misconception is that since encryption is good for protecting information in some situations it is therefore appropriate for all situations involving sensitive data. As discussed above, encryption is really the wrong choice for protecting passwords.

Second, that any hashing algorithm is sufficient for password hashing. Selecting a weak algorithm like md5 or failing to user per user salts places passwords at extreme risk if the hash file is stolen.

-Michael
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 12:34:09 PM
Good overview
Thanks for your detailed overview, Michael. You say that to propertly secure user invormation today, application developers must starts with "a proper understanding of fundamental security controls and the protection of user passwords using modern hashing algorithms." What do you think is the biggest misunderstanding of security that app developers have?
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5426
Published: 2014-11-27
MatrikonOPC OPC Server for DNP3 1.2.3 and earlier allows remote attackers to cause a denial of service (unhandled exception and DNP3 process crash) via a crafted message.

CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?