When it comes to securing passwords, simply storing them in plaintext is a big no-no. This is because if someone gains unauthorized access to the storage, they get access to all the passwords directly. Instead, systems use password hashing to store a secure representation of the passwords. Here’s how it works and why it’s crucial.
What is Password Hashing?
Password hashing is a method where a password is run through a hashing algorithm to produce a unique fixed-length string of characters, which is then stored in the system. When a user logs in, the system hashes the entered password and compares it to the stored hash. If they match, the user is authenticated.
Common Hashing Algorithms
Different systems use different hashing algorithms, each with its strengths and weaknesses:
Windows:
LANMAN (LM) Hashes: An old method used in early Windows systems. It's weak because it converts passwords to uppercase, pads them to 14 bytes, splits them into two 7-byte chunks, and uses DES encryption. This makes it vulnerable to brute-force attacks.
NTLM Hashes: A more modern method that preserves case sensitivity, converts passwords to Unicode, and uses the MD4 algorithm to create the hash. However, it still lacks salts, making it less secure than it could be.
Linux/UNIX:
DES, 3DES, MD5, Blowfish, SHA-256, SHA-512: These are various algorithms used across UNIX systems. They often incorporate salts to add extra security.
CPU and Memory-Intensive Algorithms:
bcrypt, scrypt, PBKDF2: These algorithms are designed to be more secure by being resource-intensive, making it harder for attackers to use brute-force methods.
The Problem with LANMAN Hashes
LANMAN (LAN Manager) is an outdated hashing method that is still found in some older or upgraded Windows systems. Here’s why it’s problematic:
No Case Sensitivity: Converts all characters to uppercase.
Fixed Length: Pads passwords to 14 characters.
Easily Crackable: Can be brute-forced relatively quickly. Even complex passwords can be cracked within hours due to its weak design.
NTLM Hashes
NTLM is an improvement over LANMAN. It preserves case sensitivity and uses the MD4 hashing algorithm. However, it still doesn’t use salts. A salt is a random string added to the password before hashing, which ensures that even if two users have the same password, their hashes will be different.
Importance of Salting
Salting is crucial because it adds randomness to the hashing process. Without salts, identical passwords produce identical hashes, making it easy for attackers to use precomputed tables (rainbow tables) to crack passwords. Salting ensures that even if an attacker gets hold of the hashed passwords, they cannot easily reverse-engineer them into plaintext passwords.
Modern Password Hashing
Modern password hashing methods like bcrypt, scrypt, and PBKDF2 are designed to be secure by being computationally intensive. This means that even if an attacker has powerful hardware, it will still take a significant amount of time and resources to crack the hashes.
We will continue this conversation is next blog..............................
Akash Patel
Commentaires