Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

04 Protecting Users Passwords

Download as pdf or txt
Download as pdf or txt
You are on page 1of 10

WEB SECURITY

IT-WS05
College of Information and Communications Technology
Angelito I. Cunanan Jr., MSIT

Lesson 4: Protecting User’s Passwords


Introduction

Users use passwords to protect their credentials against hackers. Password protection is
one of the most common data security tools available to users – but they are easily
bypassed if not created with hackers in mind.

Passwords are one of the first lines of defense against unauthorized access of accounts
(especially online), devices and files. Strong passwords help protect data from bad actors
and malicious software. The stronger the password, the more protected the information
will be. But what if your web application stores them incorrectly? The figure below is an
example of storing password in plain text – a clear and can be easily read by other
human and machine when they have access into your database.

In this lesson we will discuss the difference between encryption and hashing algorithms,
the importance of it, and how we can implement those into our web application.

What is Encryption?

Encryption is the practice of scrambling information in a way that only someone with a
corresponding key can unscramble and read it. Encryption is a two-way function. When
you encrypt something, you’re doing so with the intention of decrypting it later.
To encrypt data, you use something called a cipher, which is an algorithm – a series of
well-defined steps that can be followed procedurally – to encrypt and decrypt
information. The algorithm can also be called the encryption key.

When should encryption be used?

As stated, encryption is a two-way function. You encrypt information with the intention of
decrypting it later. So, correspondence with someone online, protecting your cloud data
or transmitting financial data are all examples of times when encryption is appropriate.

What is Hashing Algorithm?

Hashing is the practice of using an algorithm to map data of any size to a fixed length.
This is called a hash value (or sometimes hash code or hash sums or even a hash digest
if you’re feeling fancy). Whereas encryption is a two-way function, hashing is a one-way
function. While it’s technically possible to reverse-hash something, the computing power
required makes it unfeasible. Hashing is one-way.

Common Hashing Algorithms

MD-5. (Message Digest Method 5) is a cryptographic hash algorithm used to generate a 128-bit
digest from a string of any length. It represents the digests as 32-digit hexadecimal numbers.
Ronald Rivest designed this algorithm in 1991 to provide the means for digital signature
verification.
CODE

OUTPUT

Sha-1. (Secure Hash Algorithm 1) From RFC 3174 - The US Secure Hash Algorithm 1: "SHA-1
produces a 160-bit output called a message digest. The message digest can then, for
example, be input to a signature algorithm which generates or verifies the signature for
the message.
CODE

OUTPUT

SHA-256. (Secure Hash Algorithm 256-bit) and it's used for cryptographic security.
Cryptographic hash algorithms produce irreversible and unique hashes. The larger the
number of possible hashes, the smaller the chance that two values will create the same
hash.

CODE

OUTPUT

Notice that we change the function from md5() or sha1() to hash(). Hash function has 2
important parameters: algo (algorithm) and the string you want to hash.

hash(‘algo’, $yourPassword);
Lists of supported Algorithm:

1. md2 14. tiger160,3 27. haval224,3


2. md4 15. tiger192,3 28. haval256,3
3. md5 16. tiger128,4 29. haval128,4
4. sha1 17. tiger160,4 30. haval160,4
5. sha256 18. tiger192,4 31. haval192,4
6. sha384 19. snefru 32. haval224,4
7. sha512 20. gost 33. haval256,4
8. ripemd128 21. adler32 34. haval128,5
9. ripemd160 22. crc32 35. haval160,5
10. ripemd256 23. crc32b 36. haval192,5
11. ripemd320 24. haval128,3 37. haval224,5
12. whirlpool 25. haval160,3 38. haval256,5
13. tiger128,3 26. haval192,3

NOTE!!! Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast
and efficient. With modern techniques and computer equipment, it has become trivial
to "brute force" the output of these algorithms, to determine the original input. Because
of how quickly a modern computer can "reverse" these hashing algorithms, many
security professionals strongly suggest against their use for password hashing.

CrackStation is one of the many websites or tools that is capable of reverse-hashing


something. It uses massive pre-computed lookup tables to crack password hashes.
These tables store a map between the hash of a password, and the correct password for
that hash. The hash values are indexed so that it is possible to quickly search the
database for a given hash. If the hash is present in the database, the password can be
recovered in a fraction of a second. This only works for "unsalted" hashes.

Crackstation's lookup tables were created by extracting every word from the Wikipedia
databases and adding with every password list they could find. They also applied
intelligent word mangling (brute force hybrid) to their wordlists to make them much more
effective. For MD5 and SHA1 hashes, they have a 190GB, 15-billion-entry lookup table, and
for other hashes, they have a 19GB 1.5-billion-entry lookup table. https://crackstation.net/
What is a salt?

A cryptographic salt is data which is applied during the hashing process to eliminate the
possibility of the output being looked up in a list of pre-calculated pairs of hashes and
their input, known as a rainbow table.
In more simple terms, a salt is a bit of additional data which makes your hashes
significantly more difficult to crack. There are several services online which provide
extensive lists of pre-computed hashes (crackstation.net), as well as the original input for
those hashes. The use of a salt makes it implausible or impossible to find the resulting
hash in one of these lists.

CODE

OUTPUT

DE-HASHING PASSWORD IN CRACKSTATION.NET (WITHOUT SALT)


DE-HASHING PASSWORD IN CRACKSTATION.NET (WITH SALT)

A much better way to hash your password in PHP is by using password_hash(). It will create
a random salt if one isn't provided, and this is generally the easiest and most secure
approach.

password_hash($yourPassword, ALGORITHM);

Supported Algorithms:

PASSWORD_DEFAULT - Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this
constant is designed to change over time as new and stronger algorithms are added to
PHP. For that reason, the length of the result from using this identifier can change over
time. Therefore, it is recommended to store the result in a database column that can
expand beyond 60 characters (255 characters would be a good choice).

PASSWORD_BCRYPT - Use the CRYPT_BLOWFISH algorithm to create the hash. This will
produce a standard crypt() compatible hash using the "$2y$" identifier. The result will
always be a 60-character string, or false on failure.

PASSWORD_ARGON2I - Use the Argon2i hashing algorithm to create the hash. This
algorithm is only available if PHP has been compiled with Argon2 support.

PASSWORD_ARGON2ID - Use the Argon2id hashing algorithm to create the hash. This
algorithm is only available if PHP has been compiled with Argon2 support.

Read More: https://www.php.net/manual/en/function.password-hash.php


Below is an example code using password_hash() function that automatically add salt to
your string (password)

CODE

OUTPUT

DE-HASHING PASSWORD IN CRACKSTATION.NET

Remember that storing in the database of GIBBERISH TEXT password produced by


HASHING is the same as how you store the PLAIN TEXT password in the database. We’re
just using hashing to make it NOT EASILY TO BE READ BY HUMAN.

De-hashing Password

PHP’s password_hash() design to be safe as possible, even the developer of the web
application should not be able to read other users’ password. What at least we can do
after we store the hashed user’s password is to check or verify their input password if it is
correct or incorrect using password_verify().

The password_verify function returns a Boolean (1 if the password matches with the hash,
and 0 if not)

password_verify($yourEnteredPassword, $hashedPassword);
Example:

Let’s assume that my password is user123 and after hashing, it stored in the database in
gibberish text ($2y$10$tKm9.NmlvfQColKtZQ3Bu.NAVC2.9qQnDQEQWd3Kp25CGI2mDmskO). Using
“Log-in” form, we will verify if the password of the user, matches up with the password
stored in the database.

CODE

OUTPUT

In the output above, 1 indicates that the password (from $_POST[‘myPassword’]) matches
with an assumed password stored in the database. We could use the said output in-order
for us to tell the user if they’ve entered a correct or incorrect password.
CODE

OUTPUT
CLICK OR COPY ON ONE OF THE LINKS THEN ANSWER THE ASSESSMENT:

https://forms.gle/ywju3cdQ4vCP9G5T8

https://docs.google.com/forms/d/e/1FAIpQLSfiyv-xAZoKe-
cN1HnXpAso1lsQ1LPvGQQFiwBE89MkkvrZ0w/viewform

References

https://www.simplilearn.com/tutorials/cyber-security-tutorial/md5-
algorithm#:~:text=MD5%20(Message%20Digest%20Method%205,means%20for%20digital%
20signature%20verification.
https://www.w3schools.com/php/func_string_sha1.asp#:~:text=The%20sha1()%20functio
n%20uses,the%20signature%20for%20the%20message.

https://support.google.com/google-
ads/answer/9004655?hl=en#:~:text=SHA%2D256%20stands%20for%20Secure,will%20creat
e%20the%20same%20hash.

https://www.cloudways.com/blog/php-password-encryption/#encryption-is-important

https://stackoverflow.com/questions/9262109/simplest-two-way-encryption-using-php

https://www.php.net/manual/en/function.md5

https://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash

https://www.thesslstore.com/blog/difference-encryption-hashing-
salting/#:~:text=Encryption%20is%20a%20two%2Dway%20function%20where%20informatio
n%20is%20scrambled,is%20primarily%20used%20for%20authentication.

https://www.microsoft.com/en-us/security/business/security-101/what-is-password-
protection

https://www.beaming.co.uk/knowledge-base/how-to-protect-passwords-with-php/

https://www.php.net/manual/en/faq.passwords.php#faq.passwords.hashing

https://www.passcamp.com/blog/dangers-of-storing-and-sharing-passwords-in-
plaintext/

https://crackstation.net/

https://www.php.net/manual/en/function.password-hash.php

https://www.youtube.com/watch?v=Qq96ZgiY1dY

You might also like