News & Commentary
6/4/2014
12:00 PM
Michael Coates
Michael Coates
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Safely Storing User Passwords: Hashing vs. Encrypting

Securing user information begins with a proper understanding of security controls and the protection of user passwords using modern hashing algorithms. Here's a quick review of the fundamentals.

Over the past several months, we've seen major breaches exposing numerous usernames and passwords. The eBay and Adobe breaches impacted millions of accounts. Snapchat was compromised. With every password breach comes the inevitable question: Were the passwords stored securely? Unfortunately, this simple question is not simply answered.

Though hashing and encryption both provide valuable capabilities, for the vast majority of situations, there is only one right option for storing user passwords for an online application: hashing. This is a one-way function in which a hashed value cannot be reversed to obtain the original input value (i.e., the password). Symmetric encryption is based on the use of an encryption key and is a reversible operation. Anyone possessing the key can decrypt an encrypted value to obtain the original value.

Table 1: Differences Between Hashing and Symmetric Encryption

Hashing Symmetric Encryption
One-way function Reversible Operation
Invertible Operation? No, Yes,
For modern hashing algorithms it is not easy to reverse the hash value to obtain the original input value Symmetric encryption is designed to allow anyone with access to the encryption key to decrypt and obtain the original input value
*See note below on rainbow tables, salts, etc.
Other considerations ·         Hashing algorithm selection ·         Encryption algorithm selection
·         Per User Salt ·         Protection of key
·         Computational difficulty

How does the application authenticate a user with a password hash?
When the application receives a username and password from a user, it performs the hashing operation on the password and compares the resulting hashed value with the password hash stored in the database for the particular user. If the two hashes are an exact match, the user provided a valid username and password.

The benefit of hashing is that the application never needs to store the clear text password. It stores only the hashed value.

Is all hashing created equal?
No. In fact, hashing algorithms can be very different, and not all are appropriate for password storage.

Speed and iterative hashing algorithms
This may be a bit counterintuitive, but older hashing algorithms are too fast. Attackers may not be able to reverse a hashed value to obtain the original input, but they could perform a brute force attack that hashes numerous possible password inputs and checks if they match any of the stolen hashes.

To combat this threat, modern hashing algorithms can perform multiple iterations. This introduces a minor delay for a single hashing operation, but this small delay becomes massive if an attacker is performing a brute force attack. Consequently, iterative hashing algorithms make brute force attacks unrealistic, since they would require hundreds of years or more to complete.

Table 2: Without Salts

User Password Resulting Hash
Joe password123 xyfkdl323...
Sue password123 xyfkdl323...

Table 3: With Salts

User Password Salt Resulting Hash
Joe password123 48a023jl2... ied390fl2...
Sue password123 9fh3ls321... 40akdl23...

Does account lockout have any impact on the security model of password storage?
In short, no. The goal of securely storing passwords is to provide additional defense in the event the password file is ever stolen.

Attacks against password hashes are offline attacks. This means the attackers have already stolen the password file and are using their own computer to attempt various password combinations to find a hash in the stolen password hash file. Since this is an offline attack, controls such as account lockout or captchas provide no value. Those controls are valid only for online attacks against the login page of a running web server.

What are the risks of using symmetric encryption instead of hashing?
By design, symmetric encryption is a reversible operation. This means that the encryption key must be accessible to the application and will be used for every password verification.

If the encrypted passwords are stolen, the attackers only need to determine the symmetric key used by the application. Once that key becomes known, through a breach or through brute force attacks on a weak key, all passwords are instantly decrypted and accessible. This is not a good place to be.

Moral of the story
To store user passwords safely, it is critical to understand the differences between symmetric encryption and hashing. Algorithms such as PBKDF2, bcrypt, and scrypt all utilize per user salts and iterative hashing capabilities to store passwords securely.

The Internet and web applications will become even more important parts of everyday life as they are trusted with increasingly sensitive information. It is imperative that developers and application owners ensure they are doing everything they can to secure user information. This starts with a proper understanding of fundamental security controls and the protection of user passwords using modern hashing algorithms.

Michael Coates is the Chairman of the OWASP board, an international non-profit organization focused on advancing and evangelizing the field of application security. In addition, he is the creator of OWASP AppSensor, a project dedicated to creating attack-aware applications ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 12:34:09 PM
Good overview
Thanks for your detailed overview, Michael. You say that to propertly secure user invormation today, application developers must starts with "a proper understanding of fundamental security controls and the protection of user passwords using modern hashing algorithms." What do you think is the biggest misunderstanding of security that app developers have?
MichaelCoates
100%
0%
MichaelCoates,
User Rank: Author
6/4/2014 | 1:02:50 PM
Re: Good overview
The largest misconception is that since encryption is good for protecting information in some situations it is therefore appropriate for all situations involving sensitive data. As discussed above, encryption is really the wrong choice for protecting passwords.

Second, that any hashing algorithm is sufficient for password hashing. Selecting a weak algorithm like md5 or failing to user per user salts places passwords at extreme risk if the hash file is stolen.

-Michael
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
6/4/2014 | 2:51:46 PM
Re: Good overview
Thanks, Michael. One of the things I've been hearing about more and more is that personal information has become much more valuable a target for cybercrime than, for example credit cards. If that's the case, then your message about hashing versus encryption is one that InfoSec pros should definitely take to heart. 
chiefwilson
50%
50%
chiefwilson,
User Rank: Apprentice
6/11/2014 | 9:57:04 PM
Re: Good overview
Michael,

Thank you for a well-written article. I agree that hashing passwords with added salt provides far greater security than simply encrypting passwords. My question is simple: If a malicious actor steals a database of password hashes, won't this database include the salts as well, thereby nullifying the purpose of the salt, which is to defend against brute force dictionary and rainbow table attacks?
MichaelCoates
100%
0%
MichaelCoates,
User Rank: Author
6/12/2014 | 4:16:00 PM
Re: Good overview
Good question. The stolen database would indeed include the salts. However, exposure of random per-user salts does not undermine their purpose and security benefits.

There are two benefits to using per-user salts

1. When using per-user salts an attacker cannot simply review the stolen password hash databse for duplicate hashes (which would indicate the same original password for both accounts). The introduction of a per-user salt ensures that even the same password will result in unique hashes.

2. An attacker cannot download a rainbow table and use it against the password hashes. A rainbow table is a large database of precomputed hashes for a variety of common passwords (or even all possible passwords of certain character sets and lengths). Without per-user salts an attacker could do a simple lookup of the stolen hash within the rainbow table to determine the original password. The introduction of per-user salts means the rainbow table is useless.


Sure, an attacker could incorporate the salt into a brute force attack. But the purpose of a salt isn't to stop brute force. It's to accomplish the two items mentioned above (duplicate hashes and rainbow tables). As I mentioned in the article, the iterative hashing approach that exists in bcrypt/scrypt/PBKDF2 is the defense against brute force attacks on the password hash.

 

Hope that helps.

Michael

 
TejGandhi1986
50%
50%
TejGandhi1986,
User Rank: Apprentice
6/13/2014 | 9:01:50 PM
Preventing the password file from getting stolen
Thanks for the article,itis very informative and provide details on the foundations related to hashing and encryption.

Considering different chain of thoughts ,along with encryption and hashing that is used to secure passwords it is essential that the password file is well protected SAM file in windows and etc/shadow or etc/passwd file in Linux access must be restricted with multiple layers of defense to prevent it from getting stolen.

Thanks

Tej Gandhi

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4973
Published: 2014-09-23
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call.

CVE-2014-5392
Published: 2014-09-23
XML External Entity (XXE) vulnerability in JobScheduler before 1.6.4246 and 7.x before 1.7.4241 allows remote attackers to cause a denial of service and read arbitrary files or directories via a request containing an XML external entity declaration in conjunction with an entity reference.

CVE-2014-6646
Published: 2014-09-23
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6647
Published: 2014-09-23
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6648
Published: 2014-09-23
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio