Use of Hashing in Password Security
What is Hashing?
Hashing is a technique of converting any given key i.e. raw data into another fixed-sized value. It is done by a using a hash function which is a mathematical algorithm. The result of this hash function is called a hash value or just hash.
Cryptography
Cryptography is the practice of protecting information and securely communicating it with others. This is done by transforming the data into a form that is incomprehensible to third parties. The art of cryptography has been in use since ancient times. During the world wars, cryptography became a great asset for militaries to exchange secret information. In today’s world of the internet and big data, the role of cryptography is tremendous.
Cryptographic and Non-Cryptographic Hash Functions
Every cryptographic hash function is a hash function, but the other way is not true. The typical features of hash functions are fixed size output and efficiency of operation. Also, they return the same hash for the same input and are very fast in their computation. The properties of a cryptographic hash function are as follows:
1. It is a one-way function which means it’s a function that only works in one direction. To generate an input back from its hash value is not possible.
2. When the input is changed even for a very tiny change, the hash should change enormously such that the new hash is totally unrelated with the old one. This is called the avalanche effect.
3. Two different inputs having the same hash is very unreal. This is called the quality of collision resistance.
4. It should also resist pre-image attacks which are performed to find an input that has a specific hash.
Non cryptographic functions don’t guarantee security in exchange for performance boosts. Cryptographic hash functions are more focused towards security.
Password Security
In today’s times, with the massive increase in the use of the internet, password security has become a big concern for the entire tech community. We hear about hacking incidents and attempts being done all over the world every day. To avoid such practices and to protect users’ data, companies use various types of algorithms to securely store passwords.
Hashing versus Encryption
Many times, the words ‘hashing’ and ‘encryption’ are used in a similar context. However, they are very different from each other. Hashing is a one-way cryptographic function whereas encryption is intended to work two ways. Encryption algorithms take input and a secret key. They encrypt the input data and produce an odd looking output which is known as ciphertext. With the security key, the encrypted data can be restored to its original state. Decryption is the term for this procedure.
For storing passwords, hashing them is considered to be the most secure way as it is one way process. Even if attackers manage to breach the database, it’s very difficult for them to crack the passwords from the hash values.
How Password Hashing works
Many of the internet platforms today have user account authentication systems. When a new user signs up for an account, he/ she is asked to create a password. This password entered by the user is then passed into a hashing function by the application code and the output i.e., the hash value is stored into the database. When the user wants to sign in, he/ she is asked to enter the password. Then the entered password is again passed into the hashing function and the result is compared with the one stored in the database. If the hashes match, the user is signed in.
For password recovery, the user’s identity is validated by sending them a recovery email at the address which they provided while creating the account. The recovery email consists of a link to reset the password which redirects the user to the reset password page of the platform. The user is asked to create a new password which results in a new hash. Actual passwords are never stored into the database for security purposes. Therefore, users are never provided with their old passwords. Rather, they are asked to create a new one each time.
Salt and Pepper
Salt is a string of randomly produced string of characters. Its size is usually 16 or 32 bytes. Before delivering the raw password to a cryptographic hash function, it is added to it. Each user’s salt is unique. So even if two or more users have the same password, salts will be different for them resulting in different hashes. This prevents hackers from discovering same passwords and thereby increases security.
For additional security, Pepper is added along with salt. Like salt, pepper is also a randomly generated string. According to NIST (National Institute of Standards and Technology), pepper should have a size of at least 112 bits. Unlike salts, which are stored along with hashes in the same database, pepper is stored at a different location to keep it safe in case of database breaches.
Popular Hashing Algorithms
MD5
MD5 (MD stands for message-digest) algorithm is a popular hash function that produces a 128-bit hash value. It was developed by Ronald Rivest in 1991 as the fifth function in the message-digest hashing algorithms family. It was intended to serve as a cryptographic hash function. However, in 2013, it was deprecated after failing to an attack which broke its collision resistance in 2⁸ time, which is an essential property of a cryptographic hash function. This kind of attack runs in less than 1 second on a regular computer. Therefore, it is no longer recommended to use.
Secure Hash Algorithms
The Secure Hash Algorithms are a family of cryptographic hash functions designed by the National Security Agency (NSA) which also includes the widely used SHA-256 algorithm. The SHA-0 and SHA-1 which were first published in the years 1993 and 1995 respectively are both deprecated.
SHA-2 is a family of two similar cryptographic hash functions, known as SHA-256 and SHA-512 which was first published in the early 2000s. SHA-256 uses 32-byte words whereas SHA-512 uses 64-byte words. There are also other versions namely SHA-224, SHA-384, SHA-512/224 and SHA-512/256 which were added later as part of the same family. SHA-2 is a much more complicated algorithm than SHA-1 and is still considered safe. However, SHA-2 derives its structure and mathematical operations from SHA-1. In the near future, SHA-2 may get deprecated.
SHA-3 is another cryptographic hash function which was added to the Secure Hash Algorithm family of standards in 2015. It’s the safest hashing algorithm as of now.
A Simple Demonstration of using SHA-256
In Visual Studio Code editor, we can easily try out hashing a string in JavaScript with SHA-256 algorithm by following the steps below.
Step 1: Install the js-sha256 module by writing this command in the terminal.
Step 2: require this module in a JavaScript file.
Step 3: Pass a string in the function and store it in a variable.
Step 4: Print the variable.
Step 5: Save the file with a suitable filename. To run it, write the command ‘node (filename).js’.
The output i.e. the hash value should appear in the terminal.
bcrypt
bcrypt is yet another widely used password-hashing function that was designed by Niels Provos and David Mazières in the year 1999. bcrypt is aimed to be slow. It is an adaptive function in which the iteration count can be increased to make it slower. This excess time won’t be detected by a user but makes it more difficult to hack the password. Also, bcrypt requires a salt by default which makes it very efficient against rainbow table attacks which involves the use of pre-computed hash values for most of the possible passwords.
Conclusion
We can clearly see that Hashing has a very big and important role in password security. Other than password security, hashing is utilised in a variety of domains, including computer language implementation, file systems, pattern search, distributed key-value storage, blockchain, and so on.
Contributors
Swadesh Kelkar
Yuvraj Kathar
Akshay Khare
Rohan Kulkarni
Ankush Mahapatra