News & Commentary
6/4/2014
12:00 PM
Michael Coates
Michael Coates
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Safely Storing User Passwords: Hashing vs. Encrypting

Securing user information begins with a proper understanding of security controls and the protection of user passwords using modern hashing algorithms. Here's a quick review of the fundamentals.

Over the past several months, we've seen major breaches exposing numerous usernames and passwords. The eBay and Adobe breaches impacted millions of accounts. Snapchat was compromised. With every password breach comes the inevitable question: Were the passwords stored securely? Unfortunately, this simple question is not simply answered.

Though hashing and encryption both provide valuable capabilities, for the vast majority of situations, there is only one right option for storing user passwords for an online application: hashing. This is a one-way function in which a hashed value cannot be reversed to obtain the original input value (i.e., the password). Symmetric encryption is based on the use of an encryption key and is a reversible operation. Anyone possessing the key can decrypt an encrypted value to obtain the original value.

Table 1: Differences Between Hashing and Symmetric Encryption

Hashing Symmetric Encryption
One-way function Reversible Operation
Invertible Operation? No, Yes,
For modern hashing algorithms it is not easy to reverse the hash value to obtain the original input value Symmetric encryption is designed to allow anyone with access to the encryption key to decrypt and obtain the original input value
*See note below on rainbow tables, salts, etc.
Other considerations ·         Hashing algorithm selection ·         Encryption algorithm selection
·         Per User Salt ·         Protection of key
·         Computational difficulty

How does the application authenticate a user with a password hash?
When the application receives a username and password from a user, it performs the hashing operation on the password and compares the resulting hashed value with the password hash stored in the database for the particular user. If the two hashes are an exact match, the user provided a valid username and password.

The benefit of hashing is that the application never needs to store the clear text password. It stores only the hashed value.

Is all hashing created equal?
No. In fact, hashing algorithms can be very different, and not all are appropriate for password storage.

Speed and iterative hashing algorithms
This may be a bit counterintuitive, but older hashing algorithms are too fast. Attackers may not be able to reverse a hashed value to obtain the original input, but they could perform a brute force attack that hashes numerous possible password inputs and checks if they match any of the stolen hashes.

To combat this threat, modern hashing algorithms can perform multiple iterations. This introduces a minor delay for a single hashing operation, but this small delay becomes massive if an attacker is performing a brute force attack. Consequently, iterative hashing algorithms make brute force attacks unrealistic, since they would require hundreds of years or more to complete.

Table 2: Without Salts

User Password Resulting Hash
Joe password123 xyfkdl323...
Sue password123 xyfkdl323...

Table 3: With Salts

User Password Salt Resulting Hash
Joe password123 48a023jl2... ied390fl2...
Sue password123 9fh3ls321... 40akdl23...

Does account lockout have any impact on the security model of password storage?
In short, no. The goal of securely storing passwords is to provide additional defense in the event the password file is ever stolen.

Attacks against password hashes are offline attacks. This means the attackers have already stolen the password file and are using their own computer to attempt various password combinations to find a hash in the stolen password hash file. Since this is an offline attack, controls such as account lockout or captchas provide no value. Those controls are valid only for online attacks against the login page of a running web server.

What are the risks of using symmetric encryption instead of hashing?
By design, symmetric encryption is a reversible operation. This means that the encryption key must be accessible to the application and will be used for every password verification.

If the encrypted passwords are stolen, the attackers only need to determine the symmetric key used by the application. Once that key becomes known, through a breach or through brute force attacks on a weak key, all passwords are instantly decrypted and accessible. This is not a good place to be.

Moral of the story
To store user passwords safely, it is critical to understand the differences between symmetric encryption and hashing. Algorithms such as PBKDF2, bcrypt, and scrypt all utilize per user salts and iterative hashing capabilities to store passwords securely.

The Internet and web applications will become even more important parts of everyday life as they are trusted with increasingly sensitive information. It is imperative that developers and application owners ensure they are doing everything they can to secure user information. This starts with a proper understanding of fundamental security controls and the protection of user passwords using modern hashing algorithms.

Michael Coates is the Chairman of the OWASP board, an international non-profit organization focused on advancing and evangelizing the field of application security. In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack-aware applications ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 12:34:09 PM
Good overview
Thanks for your detailed overview, Michael. You say that to propertly secure user invormation today, application developers must starts with "a proper understanding of fundamental security controls and the protection of user passwords using modern hashing algorithms." What do you think is the biggest misunderstanding of security that app developers have?
MichaelCoates
100%
0%
MichaelCoates,
User Rank: Author
6/4/2014 | 1:02:50 PM
Re: Good overview
The largest misconception is that since encryption is good for protecting information in some situations it is therefore appropriate for all situations involving sensitive data. As discussed above, encryption is really the wrong choice for protecting passwords.

Second, that any hashing algorithm is sufficient for password hashing. Selecting a weak algorithm like md5 or failing to user per user salts places passwords at extreme risk if the hash file is stolen.

-Michael
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 2:51:46 PM
Re: Good overview
Thanks, Michael. One of the things I've been hearing about more and more is that personal information has become much more valuable a target for cybercrime than, for example credit cards. If that's the case, then your message about hashing versus encryption is one that InfoSec pros should definitely take to heart. 
chiefwilson
50%
50%
chiefwilson,
User Rank: Apprentice
6/11/2014 | 9:57:04 PM
Re: Good overview
Michael,

Thank you for a well-written article. I agree that hashing passwords with added salt provides far greater security than simply encrypting passwords. My question is simple: If a malicious actor steals a database of password hashes, won't this database include the salts as well, thereby nullifying the purpose of the salt, which is to defend against brute force dictionary and rainbow table attacks?
MichaelCoates
100%
0%
MichaelCoates,
User Rank: Author
6/12/2014 | 4:16:00 PM
Re: Good overview
Good question. The stolen database would indeed include the salts. However, exposure of random per-user salts does not undermine their purpose and security benefits.

There are two benefits to using per-user salts

1. When using per-user salts an attacker cannot simply review the stolen password hash databse for duplicate hashes (which would indicate the same original password for both accounts). The introduction of a per-user salt ensures that even the same password will result in unique hashes.

2. An attacker cannot download a rainbow table and use it against the password hashes. A rainbow table is a large database of precomputed hashes for a variety of common passwords (or even all possible passwords of certain character sets and lengths). Without per-user salts an attacker could do a simple lookup of the stolen hash within the rainbow table to determine the original password. The introduction of per-user salts means the rainbow table is useless.


Sure, an attacker could incorporate the salt into a brute force attack. But the purpose of a salt isn't to stop brute force. It's to accomplish the two items mentioned above (duplicate hashes and rainbow tables). As I mentioned in the article, the iterative hashing approach that exists in bcrypt/scrypt/PBKDF2 is the defense against brute force attacks on the password hash.

 

Hope that helps.

Michael

 
TejGandhi1986
50%
50%
TejGandhi1986,
User Rank: Apprentice
6/13/2014 | 9:01:50 PM
Preventing the password file from getting stolen
Thanks for the article,itis very informative and provide details on the foundations related to hashing and encryption.

Considering different chain of thoughts ,along with encryption and hashing that is used to secure passwords it is essential that the password file is well protected SAM file in windows and etc/shadow or etc/passwd file in Linux access must be restricted with multiple layers of defense to prevent it from getting stolen.

Thanks

Tej Gandhi

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7241
Published: 2014-12-19
The TSUTAYA application 5.3 and earlier for Android allows remote attackers to execute arbitrary Java methods via a crafted HTML document.

CVE-2014-7249
Published: 2014-12-19
Buffer overflow on the Allied Telesis AR440S, AR441S, AR442S, AR745, AR750S, AR750S-DP, AT-8624POE, AT-8624T/2M, AT-8648T/2SP, AT-8748XL, AT-8848, AT-9816GB, AT-9924T, AT-9924Ts, CentreCOM AR415S, CentreCOM AR450S, CentreCOM AR550S, CentreCOM AR570S, CentreCOM 8700SL, CentreCOM 8948XL, CentreCOM 992...

CVE-2014-7267
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the output-page generator in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7268.

CVE-2014-7268
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the data-export feature in the Ricksoft WBS Gantt-Chart add-on 7.8.1 and earlier for JIRA allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-7267.

CVE-2014-8272
Published: 2014-12-19
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.