Secure way of Storing User Credentials
An Introduction to Hashing and Salting
Why do I need a password anyway?
Why do I need a password anyway? Personal Computers
If someone else gains access to your account, they may cause you
a gre...
Why do I need a password anyway?
(Web Scenario)

●

Identifying Users

●

Authenticating users for specific areas

●

Secu...
Password on the web - The Problem
●

If you have something that is accessible on the web, it
can be retrieved.
Lets try to hack a site for Passwords
●

SQL Injection Demo
What should be done?
●

Storing passwords in such a way that even if users
somehow get hold of password hashes they should...
Storing Passwords as Plain Text
●

●

●

There is no security at all
Anyone who has access to the database can easily get ...
Storing Encrypted Passwords
●

The good
This approach is better than storing the passwords in plain
text.

●

The Bad
If s...
What is Hashing
●

●

Hashing is the process of generating a number or a
unique string for a larger string message.
The ha...
Storing Password Hashes – The Good
●

●

●

So the even better approach would be to store the
password hashes in the table...
Storing Password Hashes – The Bad

The problem here is that the user1 and user4
choose the same password and thus their
ge...
Could we not device a
technique which will store
provide us all the benefits
of hashing and will also
remove the limitatio...
Salting and Hashing of Passwords
●

●

Salting is a technique in which we add a random string to
the user entered password...
Lets visualize it

Even though the user1 and user4 has chosen same
password their salt value is different and thus the
res...
User Creation Process
1. User enters a password.
2. A random salt value is generated for the user.
3. The salt value is ad...
User tries to log in
1. User enters his user id.
2. The user is used to retrieve the users password hash and salt
stored i...
References
●

●

http://www.codeproject.com/Articles/608860/A-Beginners-Tutor
Self Pace training kit (MCTS 70-516) – Chapt...
Upcoming SlideShare
Loading in...5
×

An Introduction to Hashing and Salting

248

Published on

An Introduction to Hashing and Salting - Secure way of Storing User Credentials

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
248
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
4
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

An Introduction to Hashing and Salting

  1. 1. Secure way of Storing User Credentials An Introduction to Hashing and Salting
  2. 2. Why do I need a password anyway?
  3. 3. Why do I need a password anyway? Personal Computers If someone else gains access to your account, they may cause you a great deal of trouble ● Deleting your files ● Using it to hack other systems, ● Forging e-mail purporting to come from you
  4. 4. Why do I need a password anyway? (Web Scenario) ● Identifying Users ● Authenticating users for specific areas ● Securing user specific data from other users.
  5. 5. Password on the web - The Problem ● If you have something that is accessible on the web, it can be retrieved.
  6. 6. Lets try to hack a site for Passwords ● SQL Injection Demo
  7. 7. What should be done? ● Storing passwords in such a way that even if users somehow get hold of password hashes they should not be able to extract the passwords out of them.
  8. 8. Storing Passwords as Plain Text ● ● ● There is no security at all Anyone who has access to the database can easily get to know the password of all the users. Even a small part of application that is prone to Sql injection can reveal the password of all the users.
  9. 9. Storing Encrypted Passwords ● The good This approach is better than storing the passwords in plain text. ● The Bad If someone knows the encryption algorithm and the secret key that was used for encryption then he could decrypt the passwords easily
  10. 10. What is Hashing ● ● Hashing is the process of generating a number or a unique string for a larger string message. The hash for every string message should be unique and there is no way the original message can be reproduced from its hash value.
  11. 11. Storing Password Hashes – The Good ● ● ● So the even better approach would be to store the password hashes in the table. This way there is no way to regenerate the password from the hash. Whenever the user tries to log in, we will generate the hash for the password using the same hashing algorithm and then compare it with the hash stored in the database to check whether the password is correct or not.
  12. 12. Storing Password Hashes – The Bad The problem here is that the user1 and user4 choose the same password and thus their generated password hash is also same.
  13. 13. Could we not device a technique which will store provide us all the benefits of hashing and will also remove the limitations associated with it?
  14. 14. Salting and Hashing of Passwords ● ● Salting is a technique in which we add a random string to the user entered password and then hash the resulting string. Even if two people have chosen the same password, the salt for them will be different.
  15. 15. Lets visualize it Even though the user1 and user4 has chosen same password their salt value is different and thus the resultant hash value is also different.
  16. 16. User Creation Process 1. User enters a password. 2. A random salt value is generated for the user. 3. The salt value is added to the password and a final string is generated. 4. The hash for the final string is calculated. 5. The hash and the salt is stored in the database for this user.
  17. 17. User tries to log in 1. User enters his user id. 2. The user is used to retrieve the users password hash and salt stored in the database. 3. The user enters his password. 4. The retrieved salt is added to this password and a final string is generated. 5. The hash for the final string is calculated. 6. This calculated hash is compared with the hash value retrieved from the database. 7. If it matches the password is correct otherwise not.
  18. 18. References ● ● http://www.codeproject.com/Articles/608860/A-Beginners-Tutor Self Pace training kit (MCTS 70-516) – Chapter 8, Lesson 3.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×