AK
Uploaded byAhmad karawash
PDF, PPTX1,837 views

Password hashing, salting, bycrpt

The document provides recommendations for securely storing user passwords. It recommends using bcrypt or PBKDF2 hashing with per-user salting to hash passwords before storing in a database. Bcrypt and PBKDF2 are slower algorithms that help protect against brute force and rainbow table attacks. The document also recommends storing the salt in a separate column to prevent attackers from cracking multiple passwords at once if the database is breached.

Embed presentation

Download as PDF, PPTX
Recommendation on Password Hashing, Salting, Bycrpt Ahmad Karawash PhD in Technology of Information, Book Editor, CCA, Latece, ACM & IEEE member 12/18/2015 1
Overview • Introduction • Hashing • Fixed Salting • Per user Salting • Bcrypting • Recommendations 12/18/2015 2
Introduction • The most important aspect of a user account system is how user passwords are protected. • User account databases are hacked frequently, so you absolutely must do something to protect your users' passwords if your website is ever breached. • The best way to protect passwords is to employ salted password hashing. 12/18/2015 3
Hashing • Hashing is the transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. • Fast Hashing Algorithms: • Md5 • Sha1 • sha256 12/18/2015 4 Username sha1(password) john@hotmail.com 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 betty@gmail.com cbfdac6008f9cab4083784cbd1874f76618d2a97 …. …..
How password hashing works? • The user creates an account. • Their password is hashed and stored in the database. • When the user attempts to login, the hash of the password they entered is checked against the hash of their real password (retrieved from the database). • If the hashes match, the user is granted access. If not, the user is told they entered invalid login credentials. • Steps 3 and 4 repeat every time someone tries to login to their account. 12/18/2015 5
Weakness: How password hashing is hacked? The simplest way to crack a hash is to try to guess the password, hashing each guess, and checking if the guess's hash equals the hash being cracked. The two most common ways of guessing passwords are • Dictionary Attacks • Brute Force Attacks • Lookup Tables • Reverse Lookup Tables • Rainbow Tables 12/18/2015 6
Hashing result • Storing a simple hash is not secure -- if a hacker gains access to your database, they'll be able to figure out the majority of the passwords of the users. 12/18/2015 7
1st Enhancement: Adding Fixed Salt to fast hashing • Randomize the hashes by appending a random long string, called a salt, to the password before hashing. • If the hacker gains access to password hashes (but not the salt), it will make it much more difficult for the hacker to guess the passwords because they would also need to know the salt. 12/18/2015 8 Username sha1("salt123456789" + password) john@hotmail.com 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 betty@gmail.com cbfdac6008f9cab4083784cbd1874f76618d2a97 …. …..
Weakness of fixed salt • if the hacker has broken into your server, they probably also have access to your source code as well, so they'll learn the salt too. 12/18/2015 9
2nd Enhancement: Add Per_User Salt to fast hashing • Create a new column in the database and store a different salt for each user. The salt is randomly created when the user account is first created when the user changes their password. 12/18/2015 10 Username sha1("salt" + password) salt john@hotmail.com 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 3r3erererwe3 betty@gmail.com cbfdac6008f9cab4083784cbd1874f76618d2a97 effe4f34w3fg3 …. ….. …..
Benefit of Per_User salt • The hacker can't attack all of your user's passwords at the same time • So basically, if you have 1 million users, having a per-user-salt makes it 1 million times harder to figure out the passwords of all your users. • But this still isn't impossible for a hacker to do. Instead of 1 cpu-hour, now they need 1 million cpu-hours, which can easily be rented from Amazon for about $40,000. 12/18/2015 11
3rd enhancement: USE Bcrypt OR PBKDF2 for Slow HAshing • Bcrypt is a cross platform file encryption utility. • It takes about 100ms to compute, which is about 10,000x slower than sha1(). 100ms is fast enough that the user won't notice when they log in, but slow enough that it becomes less feasible to execute against a long list of likely passwords. • For instance, if a hacker wants to compute bcrypt() against a list of a billion likely passwords, it will take about 30,000 cpu-hours (in AWS about $1200) -- and that's for a single password. 12/18/2015 12
benefits • Besides incorporating a salt to protect against rainbow table attacks, Bcrypt & PBKDF2 is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power. 12/18/2015 13 Username $bcrypt_id$Log_rounds$128-bit-salt 184-bit-hash john@hotmail.com $2a$12$ffdfd5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 betty@gmail.com $3d$12$cbfdac6008f9cab4083784cbd1874f76618d2a97ffdfr …. …..
Recommendation • Don’t use any of these Fast Hashing Algorithms: • Md5 • Sha1 • sha256 • Also, the web is full of bad recommendation about using these hashing functions. 12/18/2015 14
Recommendation • Bcrypt or PBKDF2 are better even if they are slower. • Slower does not means it will be noticed by the client (only 100 ms). • You can control the hashing speed easily by providing the log_rounds value, because it apply a loop of successive hashing by a maximum of 13 round. 12/18/2015 15
Recommendation 1. USE a slow hashing functions like Bcript 2. Create a new column in different (or same) database to store a different salt for each user. • The salt is randomly created when the user account is first created when the user changes their password. • Proposed Result: • Attacker face a slow hashing • Attacker can’t hack all password once, but one by one in the worst case. 12/18/2015 16
Recommendation 12/18/2015 17 Id_S1 Username $bcrypt_id$Log_rounds$128-bit- salt 184-bit-hash Id_S2 1 john@hotmail.c om $5b$12$aa61e4c9b93f3682250b6cf 2 2 betty@gmail.co m $cb$12$fdac6008f9cu4083784cb78u 1 …. …. ….. Id_S2 Different_salt 1 3r3erererwe3 2 effe4f34w3fg3 ….. …. Table Salt Table Advanced Salt DB 2 DB 1
?? @: Ahmad.Karawash@gmail.com 12/18/2015 18

More Related Content

DOCX
CCS354-NETWORK SECURITY-network-security notes
byKiruba buri R
 
PPT
Information security Lecture slides .ppt
byMuhammadAbdullah311866
 
PPTX
BackDoors Seminar
byChaitali Patel
 
PPT
Html JavaScript and CSS
byRadhe Krishna Rajan
 
PPTX
Information Security : Is it an Art or a Science
byPankaj Rane
 
PPT
Computer security
byUniv of Salamanca
 
PPTX
What is Asymmetric Encryption? Understand with Simple Examples
byCheapSSLsecurity
 
PPSX
Sessions and cookies
bywww.netgains.org
 
CCS354-NETWORK SECURITY-network-security notes
byKiruba buri R
 
Information security Lecture slides .ppt
byMuhammadAbdullah311866
 
BackDoors Seminar
byChaitali Patel
 
Html JavaScript and CSS
byRadhe Krishna Rajan
 
Information Security : Is it an Art or a Science
byPankaj Rane
 
Computer security
byUniv of Salamanca
 
What is Asymmetric Encryption? Understand with Simple Examples
byCheapSSLsecurity
 
Sessions and cookies
bywww.netgains.org
 

What's hot

ODP
An Introduction to Hashing and Salting
byRahul Singh
 
PPTX
Rainbow Tables
byPanggi Libersa
 
PPTX
Hash Function
byssuserdfb2da
 
PPTX
SHA-256.pptx
byJadhavSujeet
 
PPTX
What is merkle tree
byCeline George
 
PPTX
Encryption algorithms
bytrilokchandra prakash
 
PPTX
Hash Function
bySiddharth Srivastava
 
PPTX
Topic1 substitution transposition-techniques
byMdFazleRabbi18
 
PPTX
Secure Hash Algorithm (SHA 256) - Detailed Architecture
bySaravananPalani22
 
PPTX
Authentication(pswrd,token,certificate,biometric)
byAli Raw
 
PPTX
Symmetric and asymmetric key cryptography
byMONIRUL ISLAM
 
PPT
Policy formation and enforcement.ppt
byImXaib
 
PPTX
Block cipher modes of operation
byharshit chavda
 
PPT
Digital Signature Standard
bySou Jana
 
PPT
introduction to cryptography
byPriyamvada Singh
 
PPT
Introduction To PKI Technology
bySylvain Maret
 
PDF
A technical writing on cryptographic hash function md5
byKhulna University, Khulna, Bangladesh
 
PDF
Cs8792 cns - unit i
byArthyR3
 
PPT
Cryptography
byamiable_indian
 
PPTX
Secure Socket Layer (SSL)
bySamip jain
 
An Introduction to Hashing and Salting
byRahul Singh
 
Rainbow Tables
byPanggi Libersa
 
Hash Function
byssuserdfb2da
 
SHA-256.pptx
byJadhavSujeet
 
What is merkle tree
byCeline George
 
Encryption algorithms
bytrilokchandra prakash
 
Hash Function
bySiddharth Srivastava
 
Topic1 substitution transposition-techniques
byMdFazleRabbi18
 
Secure Hash Algorithm (SHA 256) - Detailed Architecture
bySaravananPalani22
 
Authentication(pswrd,token,certificate,biometric)
byAli Raw
 
Symmetric and asymmetric key cryptography
byMONIRUL ISLAM
 
Policy formation and enforcement.ppt
byImXaib
 
Block cipher modes of operation
byharshit chavda
 
Digital Signature Standard
bySou Jana
 
introduction to cryptography
byPriyamvada Singh
 
Introduction To PKI Technology
bySylvain Maret
 
A technical writing on cryptographic hash function md5
byKhulna University, Khulna, Bangladesh
 
Cs8792 cns - unit i
byArthyR3
 
Cryptography
byamiable_indian
 
Secure Socket Layer (SSL)
bySamip jain
 

Viewers also liked

PDF
Message queues
byAhmad karawash
 
PDF
Proper passwordhashing
byfangjiafu
 
PDF
Information system security wk4-2
byBee Lalita
 
ZIP
Hashing
bySri Prasanna
 
ODP
Disclosing password hashing policies
byMichal Špaček
 
PPT
Hashing
bygrahamwell
 
PPT
Ch17 Hashing
byleminhvuong
 
PPTX
Hashing Technique In Data Structures
bySHAKOOR AB
 
Message queues
byAhmad karawash
 
Proper passwordhashing
byfangjiafu
 
Information system security wk4-2
byBee Lalita
 
Hashing
bySri Prasanna
 
Disclosing password hashing policies
byMichal Špaček
 
Hashing
bygrahamwell
 
Ch17 Hashing
byleminhvuong
 
Hashing Technique In Data Structures
bySHAKOOR AB
 

Similar to Password hashing, salting, bycrpt

PDF
Passwords good badugly181212-2
byIftach Ian Amit
 
PDF
A Survey of Password Attacks and Safe Hashing Algorithms
byIRJET Journal
 
PPTX
Password Storage Sucks!
bynerdybeardo
 
PPT
Kieon secure passwords theory and practice 2011
byKieon
 
PPTX
Secure passwords-theory-and-practice
byAkash Mahajan
 
PDF
Password Storage And Attacking In PHP - PHP Argentina
byAnthony Ferrara
 
ODP
User Credential handling in Web Applications done right
bytladesignz
 
PDF
Password (in)security
byEnrico Zimuel
 
PDF
Password Storage and Attacking in PHP
byAnthony Ferrara
 
PPTX
Securing Passwords
byMandeep Singh
 
PDF
Protecting Your Clients' Privacy
byAijaz Ansari
 
PPTX
FYP1 Presentation
byfaeezfez
 
PPTX
A Recipe for Password Storage: Add Salt to Taste
byNick Malcolm
 
PDF
The slower the stronger a story of password hash migration
byOWASP
 
PPTX
Hashing Considerations In Web Applications
byIslam Heggo
 
PPTX
Storing passwords-honey words
bykandulasindhu
 
ODP
All Your Password Are Belong To Us
byCharles Southerland
 
PDF
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
PPTX
Techniques for password hashing and cracking
byNipun Joshi
 
PPTX
Password Storage Explained
byjeetendra mandal
 
Passwords good badugly181212-2
byIftach Ian Amit
 
A Survey of Password Attacks and Safe Hashing Algorithms
byIRJET Journal
 
Password Storage Sucks!
bynerdybeardo
 
Kieon secure passwords theory and practice 2011
byKieon
 
Secure passwords-theory-and-practice
byAkash Mahajan
 
Password Storage And Attacking In PHP - PHP Argentina
byAnthony Ferrara
 
User Credential handling in Web Applications done right
bytladesignz
 
Password (in)security
byEnrico Zimuel
 
Password Storage and Attacking in PHP
byAnthony Ferrara
 
Securing Passwords
byMandeep Singh
 
Protecting Your Clients' Privacy
byAijaz Ansari
 
FYP1 Presentation
byfaeezfez
 
A Recipe for Password Storage: Add Salt to Taste
byNick Malcolm
 
The slower the stronger a story of password hash migration
byOWASP
 
Hashing Considerations In Web Applications
byIslam Heggo
 
Storing passwords-honey words
bykandulasindhu
 
All Your Password Are Belong To Us
byCharles Southerland
 
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
Techniques for password hashing and cracking
byNipun Joshi
 
Password Storage Explained
byjeetendra mandal
 

More from Ahmad karawash

PDF
Introduction to-data-science
byAhmad karawash
 
PDF
How to understand your data
byAhmad karawash
 
PPTX
Cloud storage with AWS
byAhmad karawash
 
PDF
Build a custom metrics on aws cloud
byAhmad karawash
 
PDF
Brute Force Attack
byAhmad karawash
 
PPTX
Reasoning of database consistency through description logics
byAhmad karawash
 
Introduction to-data-science
byAhmad karawash
 
How to understand your data
byAhmad karawash
 
Cloud storage with AWS
byAhmad karawash
 
Build a custom metrics on aws cloud
byAhmad karawash
 
Brute Force Attack
byAhmad karawash
 
Reasoning of database consistency through description logics
byAhmad karawash
 

Recently uploaded

PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PPTX
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
The Emergence of Empathic XR: AWE Asia 2026 keynote
byMark Billinghurst
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Explaining the flow of purpose-specific BOM
byakipii ogaoga
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
Working Session — Build a Document Understanding Automation Using an OOTB ML ...
byDianaGray10
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 

Password hashing, salting, bycrpt

  • 1.
    Recommendation on Password Hashing, Salting,Bycrpt Ahmad Karawash PhD in Technology of Information, Book Editor, CCA, Latece, ACM & IEEE member 12/18/2015 1
  • 2.
    Overview • Introduction • Hashing •Fixed Salting • Per user Salting • Bcrypting • Recommendations 12/18/2015 2
  • 3.
    Introduction • The mostimportant aspect of a user account system is how user passwords are protected. • User account databases are hacked frequently, so you absolutely must do something to protect your users' passwords if your website is ever breached. • The best way to protect passwords is to employ salted password hashing. 12/18/2015 3
  • 4.
    Hashing • Hashing isthe transformation of a string of characters into a usually shorter fixed-length value or key that represents the original string. • Fast Hashing Algorithms: • Md5 • Sha1 • sha256 12/18/2015 4 Username sha1(password) john@hotmail.com 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 betty@gmail.com cbfdac6008f9cab4083784cbd1874f76618d2a97 …. …..
  • 5.
    How password hashingworks? • The user creates an account. • Their password is hashed and stored in the database. • When the user attempts to login, the hash of the password they entered is checked against the hash of their real password (retrieved from the database). • If the hashes match, the user is granted access. If not, the user is told they entered invalid login credentials. • Steps 3 and 4 repeat every time someone tries to login to their account. 12/18/2015 5
  • 6.
    Weakness: How passwordhashing is hacked? The simplest way to crack a hash is to try to guess the password, hashing each guess, and checking if the guess's hash equals the hash being cracked. The two most common ways of guessing passwords are • Dictionary Attacks • Brute Force Attacks • Lookup Tables • Reverse Lookup Tables • Rainbow Tables 12/18/2015 6
  • 7.
    Hashing result • Storinga simple hash is not secure -- if a hacker gains access to your database, they'll be able to figure out the majority of the passwords of the users. 12/18/2015 7
  • 8.
    1st Enhancement: AddingFixed Salt to fast hashing • Randomize the hashes by appending a random long string, called a salt, to the password before hashing. • If the hacker gains access to password hashes (but not the salt), it will make it much more difficult for the hacker to guess the passwords because they would also need to know the salt. 12/18/2015 8 Username sha1("salt123456789" + password) john@hotmail.com 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 betty@gmail.com cbfdac6008f9cab4083784cbd1874f76618d2a97 …. …..
  • 9.
    Weakness of fixedsalt • if the hacker has broken into your server, they probably also have access to your source code as well, so they'll learn the salt too. 12/18/2015 9
  • 10.
    2nd Enhancement: AddPer_User Salt to fast hashing • Create a new column in the database and store a different salt for each user. The salt is randomly created when the user account is first created when the user changes their password. 12/18/2015 10 Username sha1("salt" + password) salt john@hotmail.com 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 3r3erererwe3 betty@gmail.com cbfdac6008f9cab4083784cbd1874f76618d2a97 effe4f34w3fg3 …. ….. …..
  • 11.
    Benefit of Per_Usersalt • The hacker can't attack all of your user's passwords at the same time • So basically, if you have 1 million users, having a per-user-salt makes it 1 million times harder to figure out the passwords of all your users. • But this still isn't impossible for a hacker to do. Instead of 1 cpu-hour, now they need 1 million cpu-hours, which can easily be rented from Amazon for about $40,000. 12/18/2015 11
  • 12.
    3rd enhancement: USEBcrypt OR PBKDF2 for Slow HAshing • Bcrypt is a cross platform file encryption utility. • It takes about 100ms to compute, which is about 10,000x slower than sha1(). 100ms is fast enough that the user won't notice when they log in, but slow enough that it becomes less feasible to execute against a long list of likely passwords. • For instance, if a hacker wants to compute bcrypt() against a list of a billion likely passwords, it will take about 30,000 cpu-hours (in AWS about $1200) -- and that's for a single password. 12/18/2015 12
  • 13.
    benefits • Besides incorporatinga salt to protect against rainbow table attacks, Bcrypt & PBKDF2 is an adaptive function: over time, the iteration count can be increased to make it slower, so it remains resistant to brute-force search attacks even with increasing computation power. 12/18/2015 13 Username $bcrypt_id$Log_rounds$128-bit-salt 184-bit-hash john@hotmail.com $2a$12$ffdfd5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 betty@gmail.com $3d$12$cbfdac6008f9cab4083784cbd1874f76618d2a97ffdfr …. …..
  • 14.
    Recommendation • Don’t useany of these Fast Hashing Algorithms: • Md5 • Sha1 • sha256 • Also, the web is full of bad recommendation about using these hashing functions. 12/18/2015 14
  • 15.
    Recommendation • Bcrypt orPBKDF2 are better even if they are slower. • Slower does not means it will be noticed by the client (only 100 ms). • You can control the hashing speed easily by providing the log_rounds value, because it apply a loop of successive hashing by a maximum of 13 round. 12/18/2015 15
  • 16.
    Recommendation 1. USE aslow hashing functions like Bcript 2. Create a new column in different (or same) database to store a different salt for each user. • The salt is randomly created when the user account is first created when the user changes their password. • Proposed Result: • Attacker face a slow hashing • Attacker can’t hack all password once, but one by one in the worst case. 12/18/2015 16
  • 17.
    Recommendation 12/18/2015 17 Id_S1 Username$bcrypt_id$Log_rounds$128-bit- salt 184-bit-hash Id_S2 1 john@hotmail.c om $5b$12$aa61e4c9b93f3682250b6cf 2 2 betty@gmail.co m $cb$12$fdac6008f9cu4083784cb78u 1 …. …. ….. Id_S2 Different_salt 1 3r3erererwe3 2 effe4f34w3fg3 ….. …. Table Salt Table Advanced Salt DB 2 DB 1
  • 18.