Medo's Home Page

Requirements for Password Hashing

Proper password hashing should satisfy few requirements.

First requirement is proper salting. I already wrote about this so check that post for explanation. I will just say here that properly implemented salting strengthens password against whole range of brute-force attacks. Storing password without salting is just not acceptable.

Second requirement would be using proven algorithm. Very often people (myself included) fall into trap of using easiest way there is. In case of password hashing this is usually just SHA-1 hash function. While this is definitely better than plain-text passwords, it is not ideal. Password hashing is just not that simple. Minimum would be support for RFC 2898 password derivation (both PBKDF1 and PBKDF2 will do). For this purpose .NET offers Rfc2898DeriveBytes class.

RFC 2898 also defines way to make your password hashing slow (via iteration count). Although every programmer wants code to run fast, exact opposite is required for password hashing. Idea behind it is to slow-down dictionary attacks. It is huge difference between trying out 10 and 1000000 passwords per second. Of course, you also need to think about users so some compromise is needed. There is no exact figure but I find anything sub-500 milliseconds acceptable to users.

Last requirement that I would add is using user name as part of hashing process. This is to protect us from “copy/paste” attacks if user names and hashes cannot be secured (e.g. in database table). If user name is not encoded, one could copy known password1 hash from user1 to user2 (overwriting password2 in progress). After that it will be possible to login as user2 with password1. That allows user1 to potentially create mess and blame everything on user2. If he restores old password2 afterward, you have security breach that is not easily traceable.

If you are not in mood for implementing this, you can download example of my implementation.

I opted for 9-byte salt and 20-byte key. That results in 30 bytes of output (first byte is iteration count). With base-64 encoding resulting string is exactly 40 bytes long.

8192 iterations should cause function to be around 500 milliseconds on most computers (@ 3GHz). This was selected as user’s psychological limit on waiting. Since number of iterations is stored in first byte of hash (12 for 4192 iterations, 13 for 8192, 14 for 16384 and so on) you can also speed-up (or slow-down) code by factors of two and retain compatibility among different versions.

User name string is converted to upper case before hashing (or checking). This causes user name to be case-insensitive even when encoded.

Passwords With a Grain of Salt

90% of time that I see hashed password in database, it is result of MD-5, SHA-1 or similar hash algorithm. While this does satisfy bare minimum requirements for password storage it is not enough.

Problem lies in “rainbow table” attacks. While checking password against all possible combinations seems difficult, it becomes easier once you get one big file with all those combinations pre-computed. Cracking password becomes just searching for already existing hash. Yes, amount of data is quite big (hundreds of gigabytes) but any personal computer can handle this easily.

All you need is to download pre-existing rainbow table and check all entries against your hash. I checked this against some passwords I had access to and success rate was near to 100%. It was very scary experience. Fortunately, there is easy solution - just introduce salt.

Salt consists of few random bytes appended to password (8 bytes seems like nice number). Our hashing function then becomes:

hash = SHA1(password + salt)

This simple step invalidates all precomputed rainbow tables. Even better, since salt differs between users, each user must be attacked separately. Time for cracking just got increased significantly.

Cost on implementation side is just having another field for storing salt. Cost of few additional bytes per user seems reasonable.

Storing Passwords

More often than not I see big errors in how passwords are stored in database. Because of that I decided to make little series about passwords and how to handle them. In this first installment I will go over two biggest errors you can make as far as password storage is concerned.

Definitely worst thing to do is to store plain-text password in database. This is just unacceptable. If any user gains access to your database all your users are compromised. Since most users tend to use same password for multiple purposes and web sites, compromising password for some internal application could also mean compromising password for Amazon or PayPal account.

Almost as bad is storing passwords using reversible encryption (DES, AES or similar two-way algorithms). While data looks properly encrypted it is still possible to get original password. If your program can get to password, so can somebody else. Always assume worst.

For storing passwords you MUST use irreversible encryption. For properly hashed passwords bad guys must resort to dictionary and brute-force attacks. Losing hashed passwords is also not desirable but at least you buy some time.

Cannot Contact Steam Network

Jeff Atwood has some strange hobbies that include (but are not limited to) giving away games. Fortunately I was on receiving end of latest giveaway. Condition was good score on one or more trilogy sites and steam account.

Installation of steam client wen’t without issues but program would not start. It would just give standard non-descriptive message “Cannot contact steam network”. For troubleshooting purposes I tested it in Windows XP Mode and everything worked there. That confirmed that compatibility with my Windows 7 (64-bit) is issue here.

Solution was annoyingly simple. I went into properties for Steam and checked “Run this program in compatibility mode” check-box. I opted for Windows XP compatibility (default) and started it again. Update went without hitch.

After update I got nasty message from Windows telling me that I should consider removing compatibility settings. Once I removed compatibility application continued to work but my download rate went to 0.0 KB/s. Going against all warnings I reactivated Windows XP compatibility and everything was good once more.

Worthless Precision

Calculations show that Earth’s oil reserves will cease to exist at 20:58 on Oct 22, 2047. It is scary figure to see and it is probably as good of an guess as any. Saying this, it is also just rubbish. I will explain on example of thermometer.

My new kitchen thermometer shows me temperature of 19.3 °C. I think that all thermometers that you can buy show results with one decimal digit (with resolution of 0.1 °C). However, once I checked specification, I was puzzled. Precision of measurement is only ±2°C. Simply said it means that actual temperature is anywhere from 17.3 to 21.3 °C.

It is in human nature to assume that all that is shown actually matters. I can bet you that people would trust thermometer with five decimal digits more (e.g. 19.24133 °C) than one without them (e.g. 19 °C). It just looks better when our numbers have higher resolution. Real truth is hidden in precision. And that number is not always easy to find.

Time of oil exhaustion is nonsense for same reason. They showed it with resolution of one minute just to make it more believable. Real precision is probably give-or-take few years if not more.

P.S. Yes, we will run out of oil one day. We just cannot pinpoint date.

1 … 212 213 214 215 216 … 268