How to make sure security of user login password
Whenever we develop any application we have user account system. Every time we want to make them secure so they can't be hacked. Today we will understand this process
why we need that and how we can do that in details. Before going to start if I missed any part they your suggestions is most welcome.
As per secure logging system hashing technique is so popular to implement that, but there are lots of conflicting ideas or we can say misconceptions that how to do password hashing in right way. If we googling this on internet we found lots of information and that makes confused to implement in right way. So today we will discuss to implement not only right way but also why we need to implement that.
So the first question comes into our mind is that "What is Password Hashing?"
Actually hashing technique is depends upon Hash algorithms, which is one way function. The main work we do with that change any amount of data or string value into fixed length "fingerprint", that can’t be reversed, that’s why it is one way function. Main advantage of that if we change single character the output hashed value is completely different.
Check the following example -
hash("hello") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824
hash("hbllo") = 58756879c05c68dfac9866712fad6a93f8146f337a69afe7dd238f3364946366
hash("waltz") = c0e81794384491161f1777c232bc6bd9ec38f616560b120fda8e90f383853542
Following the flow to use that in our account system
1. User create their account with username and password
2. User password will change in hashed format and store in database in password column
3. When user attempt to login in the system with their username and password, change the password in hashed format and compare that with real password which is store in database.
4. If hashed value match, user granted to access their system. If not then send invalid credential message to user.
Now a days for more security to prevent attackers we always display generic message like "Invalid username or password." We never display message for specific username or password.
The most important things is this hash function is not the same hash function which we have read in data structure. In data structure hash table used to be fast not secure.
Only cryptographic hash functions may be used to implement password hashing.
The .NET framework ships with 6 different hashing algorithms:
1.)MD5: 16 bytes (Time to hash 500MB: 1462 ms)
2.)SHA1: 20 bytes (1644 ms)
3.)SHA256: 32 bytes (5618 ms)
4.)SHA384: 48 bytes (3839 ms)
5.)SHA512: 64 bytes (3820 ms)
6.)RIPEMD: 20 bytes (7066 ms)
These are cryptographic hash functions, which we can use in our .Net framework.
So now I hope we can understand that why and how we will use Password Hashing in our user login system.
The second main point is that "Is Password Hashing Secure?”
I said no now a days there are lots of way to crack this technique, so we will understand that "How Hashes are cracked?”
Five main technique which is popular to use to crack:-
1.) Dictionary Attacks
2.) Brute Force Attacks
3.) Lookup Tables
4.) Reverse Lookup Tables
5.) Rainbow Tables
The simplest way to crack hash is to try guess password, hashed that and checking if the guess's hash equals the hash being cracked. If the hashes are equal, the guess is the password. The most common ways of guessing passwords are dictionary attacks and brute-force attacks.
Dictionary Attacks >> It uses a file which contain words, phrase, common strings, common passwords etc. Then they hashed each of them and equality compare with password hash. The source is extract from real password database, text file which contain large string. For using more effective they use replacing word technique with their "leet speak" like 'password' with 'passw0rd', 'leetspeak' with 'l33t$p34k' etc.
Brute Force Attacks >> It tries every possible combination of characters up to given length. It takes much more times to crack them but they will always eventually find the password.
Lookup Tables >> this is extremely effective method to cracking many hashes. The logic of this process is to pre-compute the hashes of the passwords in a password dictionary and store them, and their corresponding password, in a lookup table data structure.
Reverse Lookup Tables >> this is combination of Dictionary Attacks & Brute Force Attacks at same time without any pre-computed table. First, the attacker creates a lookup table that maps each password hash from the compromised user account database to a list of users who had that hash. The attacker then hashes each password guess and uses the lookup table to get a list of users whose password was the attacker's guess. This attack is especially effective because it is common for many users to have the same password.
Rainbow Tables >> this is the time-memory trade-off technique. They basically depends upon lookup table but with small size. Because they are smaller, the solutions to more hashes can be stored in the same amount of space, making them more effective. Rainbow tables that can crack any md5 hash of a password up to 8 characters long exist.
Above are short description of hacking technique we will discuss is depth detail in separate blogs each of them to know better.
We don't have more way to prevent Dictionary & Brute Force attacks. These are less effective and there is not a way to prevent them altogether. If your password hashing system is secure, the only way to crack the hashes will be to run a Dictionary or Brute-force attack on each hash.
The way to prevent lookup tables and rainbow tables to crack a hash, we have technique call "Salting". But salts are useless for preventing Dictionary & Brute force attacks.
Bcrypt solves all These Problems, means through bcrypt technique we prevent Dictionary, Brute Force, Lookup tables and Rainbow tables to crack a hash.
Important Points to remember:
1. Hash encryption is a one-way encryption technique i.e. even if you know the hash and key you cannot get back the original value.
2. The real world scenario is a bit different. I have seen several payment gateways using hash techniques for checksum verification inbuilt in the integration api like emvantage, payu, Zaakpay, ccavenue etc. Even paypal uses the new SHA-2 algorithm for securing customer transactions e-commerce websites.
3. The hashing technique for security only applies to intranet websites where the user traffic is just few hundreds. For internet websites interacting with users upon public networks you need better security mechanisms.
4. Eavesdropping or interception of messages over http/internet is one way to know your password as it is passed as clear text from client to server. To secure the website you can use HTTPS protocol which does a SSL handshake using SSL certificate between server and the client browser.
We will discuss these technique "Salting" & "Bcrypt" in next blog.
Hope we all enjoyed to learn security of user login system.