04 Protecting Users Passwords
04 Protecting Users Passwords
04 Protecting Users Passwords
IT-WS05
College of Information and Communications Technology
Angelito I. Cunanan Jr., MSIT
Users use passwords to protect their credentials against hackers. Password protection is
one of the most common data security tools available to users – but they are easily
bypassed if not created with hackers in mind.
Passwords are one of the first lines of defense against unauthorized access of accounts
(especially online), devices and files. Strong passwords help protect data from bad actors
and malicious software. The stronger the password, the more protected the information
will be. But what if your web application stores them incorrectly? The figure below is an
example of storing password in plain text – a clear and can be easily read by other
human and machine when they have access into your database.
In this lesson we will discuss the difference between encryption and hashing algorithms,
the importance of it, and how we can implement those into our web application.
What is Encryption?
Encryption is the practice of scrambling information in a way that only someone with a
corresponding key can unscramble and read it. Encryption is a two-way function. When
you encrypt something, you’re doing so with the intention of decrypting it later.
To encrypt data, you use something called a cipher, which is an algorithm – a series of
well-defined steps that can be followed procedurally – to encrypt and decrypt
information. The algorithm can also be called the encryption key.
As stated, encryption is a two-way function. You encrypt information with the intention of
decrypting it later. So, correspondence with someone online, protecting your cloud data
or transmitting financial data are all examples of times when encryption is appropriate.
Hashing is the practice of using an algorithm to map data of any size to a fixed length.
This is called a hash value (or sometimes hash code or hash sums or even a hash digest
if you’re feeling fancy). Whereas encryption is a two-way function, hashing is a one-way
function. While it’s technically possible to reverse-hash something, the computing power
required makes it unfeasible. Hashing is one-way.
MD-5. (Message Digest Method 5) is a cryptographic hash algorithm used to generate a 128-bit
digest from a string of any length. It represents the digests as 32-digit hexadecimal numbers.
Ronald Rivest designed this algorithm in 1991 to provide the means for digital signature
verification.
CODE
OUTPUT
Sha-1. (Secure Hash Algorithm 1) From RFC 3174 - The US Secure Hash Algorithm 1: "SHA-1
produces a 160-bit output called a message digest. The message digest can then, for
example, be input to a signature algorithm which generates or verifies the signature for
the message.
CODE
OUTPUT
SHA-256. (Secure Hash Algorithm 256-bit) and it's used for cryptographic security.
Cryptographic hash algorithms produce irreversible and unique hashes. The larger the
number of possible hashes, the smaller the chance that two values will create the same
hash.
CODE
OUTPUT
Notice that we change the function from md5() or sha1() to hash(). Hash function has 2
important parameters: algo (algorithm) and the string you want to hash.
hash(‘algo’, $yourPassword);
Lists of supported Algorithm:
NOTE!!! Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast
and efficient. With modern techniques and computer equipment, it has become trivial
to "brute force" the output of these algorithms, to determine the original input. Because
of how quickly a modern computer can "reverse" these hashing algorithms, many
security professionals strongly suggest against their use for password hashing.
Crackstation's lookup tables were created by extracting every word from the Wikipedia
databases and adding with every password list they could find. They also applied
intelligent word mangling (brute force hybrid) to their wordlists to make them much more
effective. For MD5 and SHA1 hashes, they have a 190GB, 15-billion-entry lookup table, and
for other hashes, they have a 19GB 1.5-billion-entry lookup table. https://crackstation.net/
What is a salt?
A cryptographic salt is data which is applied during the hashing process to eliminate the
possibility of the output being looked up in a list of pre-calculated pairs of hashes and
their input, known as a rainbow table.
In more simple terms, a salt is a bit of additional data which makes your hashes
significantly more difficult to crack. There are several services online which provide
extensive lists of pre-computed hashes (crackstation.net), as well as the original input for
those hashes. The use of a salt makes it implausible or impossible to find the resulting
hash in one of these lists.
CODE
OUTPUT
A much better way to hash your password in PHP is by using password_hash(). It will create
a random salt if one isn't provided, and this is generally the easiest and most secure
approach.
password_hash($yourPassword, ALGORITHM);
Supported Algorithms:
PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this
constant is designed to change over time as new and stronger algorithms are added to
PHP. For that reason, the length of the result from using this identifier can change over
time. Therefore, it is recommended to store the result in a database column that can
expand beyond 60 characters (255 characters would be a good choice).
PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will
produce a standard crypt() compatible hash using the "$2y$" identifier. The result will
always be a 60-character string, or false on failure.
PASSWORD_ARGON2I - Use the Argon2i hashing algorithm to create the hash. This
algorithm is only available if PHP has been compiled with Argon2 support.
PASSWORD_ARGON2ID - Use the Argon2id hashing algorithm to create the hash. This
algorithm is only available if PHP has been compiled with Argon2 support.
CODE
OUTPUT
De-hashing Password
PHP’s password_hash() design to be safe as possible, even the developer of the web
application should not be able to read other users’ password. What at least we can do
after we store the hashed user’s password is to check or verify their input password if it is
correct or incorrect using password_verify().
The password_verify function returns a Boolean (1 if the password matches with the hash,
and 0 if not)
password_verify($yourEnteredPassword, $hashedPassword);
Example:
Let’s assume that my password is user123 and after hashing, it stored in the database in
gibberish text ($2y$10$tKm9.NmlvfQColKtZQ3Bu.NAVC2.9qQnDQEQWd3Kp25CGI2mDmskO). Using
“Log-in” form, we will verify if the password of the user, matches up with the password
stored in the database.
CODE
OUTPUT
In the output above, 1 indicates that the password (from $_POST[‘myPassword’]) matches
with an assumed password stored in the database. We could use the said output in-order
for us to tell the user if they’ve entered a correct or incorrect password.
CODE
OUTPUT
CLICK OR COPY ON ONE OF THE LINKS THEN ANSWER THE ASSESSMENT:
https://forms.gle/ywju3cdQ4vCP9G5T8
https://docs.google.com/forms/d/e/1FAIpQLSfiyv-xAZoKe-
cN1HnXpAso1lsQ1LPvGQQFiwBE89MkkvrZ0w/viewform
References
https://www.simplilearn.com/tutorials/cyber-security-tutorial/md5-
algorithm#:~:text=MD5%20(Message%20Digest%20Method%205,means%20for%20digital%
20signature%20verification.
https://www.w3schools.com/php/func_string_sha1.asp#:~:text=The%20sha1()%20functio
n%20uses,the%20signature%20for%20the%20message.
https://support.google.com/google-
ads/answer/9004655?hl=en#:~:text=SHA%2D256%20stands%20for%20Secure,will%20creat
e%20the%20same%20hash.
https://www.cloudways.com/blog/php-password-encryption/#encryption-is-important
https://stackoverflow.com/questions/9262109/simplest-two-way-encryption-using-php
https://www.php.net/manual/en/function.md5
https://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash
https://www.thesslstore.com/blog/difference-encryption-hashing-
salting/#:~:text=Encryption%20is%20a%20two%2Dway%20function%20where%20informatio
n%20is%20scrambled,is%20primarily%20used%20for%20authentication.
https://www.microsoft.com/en-us/security/business/security-101/what-is-password-
protection
https://www.beaming.co.uk/knowledge-base/how-to-protect-passwords-with-php/
https://www.php.net/manual/en/faq.passwords.php#faq.passwords.hashing
https://www.passcamp.com/blog/dangers-of-storing-and-sharing-passwords-in-
plaintext/
https://crackstation.net/
https://www.php.net/manual/en/function.password-hash.php
https://www.youtube.com/watch?v=Qq96ZgiY1dY