Password Hashes Presented by: UNT Cybersecurity Club 

Content ● What is a password hash? (Properties) (Salts [and Peppers]!) ● Why do we gotta have hashes? ● Most common algorithms? ● Collisions ● Attacks! (And how to defend against attacks) 

What the heck is a Password Hash? ● Password of any length -> Fixed-Length ○ How many characters will be based on the algorithm ● A one-way encryption ○ There is no key to decrypt ○ Acts as sort of a pointer 

Properties of Hashes ● Hashes should: ○ Be easy to calculate ■ But not TOO easy for password hashes; otherwise brute force attacks become too easy ○ Be infeasible to reverse ■ Hashes should be one-way functions ■ Otherwise, someone could determine passwords from hashes ○ Be sensitive to changes - avalanche effect ○ Be deterministic ○ Have minimal collisions ■ Ideally, two distinct pieces of data should not result in the same hash ○ Not reveal anything about the data 

Salts! ● If an attacker obtains password hashes and sees that two are the same, they can break one and get into two accounts ○ An attacker can also guess that this will be a common password ● To make attacks more difficult, we append a salt to each password before hashing ○ A salt is basically a fixed-length, random value ○ By appending this to a password before hashing, we change the value of the hash drastically ○ Salting a function is known as peppering if the ‘salt’ is added at the end of the password ● Note: avoid reusing salts ○ If the same salt is applied to the same passwords, then the purpose of the salt is almost entirely defeated; the same hash will still appear twice 

Why Do We Need Hashes? ● Password security ○ When you enter your password, gets sent to some server somewhere ○ How does the server check if the entered password is correct? ■ Storing password in plaintext == BAD ● If When a hacker gets onto the system, they can get passwords easily ● Malicious employees can also easily obtain passwords ● Plaintext Offenders ● How good is your password? ■ Encrypting passwords is better, but not great ● Encryption is designed to be undone; we don’t want that with passwords ■ Hashing is the single best option ● By hashing your entered password and comparing that to a database of password hashes, we reduce the chance of anyone finding out your password ● Some companies will hash, encrypt, and then hash again, adding extra layers of protection 

Why Do We Need Hashes? ● File integrity ○ Suppose you have downloaded some file or someone has sent you some file ○ How do you know you received the right file? ■ What if someone intercepted the traffic and changed the file? ○ Hashes allow us to verify file integrity ● These are the main applications, although others do exist in the world of cheese 

Most Common Hashing ● MD-5: Message Digest Algorithm ○ Outputs 128 bits, or 32 hexadecimal characters ● SHA: Secure Hashing Algorithm ○ SHA-1 ■ Output 160 bits ○ SHA-256 ■ Outputs 256 bits ○ SHA-512 ■ Outputs 512 bits 

Collisions ● Occurs when exists two passwords that correlate to the same hash ○ Because there are infinite possibilities for passwords, and there exists only a finite mathematical mapping for hashes, there is bound to be a repeat ■ As a general rule of thumb, the more bits that that an encryption algorithm outputs, the better 

Attacks on Hashes ● Suppose an attacker obtains a database of password hashes. What’s the worst case scenario? ● Brute force attacks are always an option ○ An attacker can generate every possible password, hash that, and see if that matches the target hash ○ Brute force attacks take a while, but quickly-calculated hashes make it easier ● Dictionary Attacks ○ The idea of tools like hydra and hashcat ○ Feed in a word list, and try the passwords from the list ○ One of the most common PW list, rockyou.txt ● Rainbow tables make things even easier ○ A rainbow table is a list of pre-computed hashes and their inputs ○ By comparing a target hash against a rainbow table, an attacker can potentially crack a hash much sooner 

Preventing/Mitigating Attacks on Hashes ● Can we prevent these attacks? ○ We cannot entirely prevent against these attacks, but we can make them more difficult and add extra layers of security on top of passwords ● Access Denial ○ Too many incorrect passwords, too many requests from the same IP address ● Avoiding common passwords helps fight dictionary attacks and rainbow attacks ○ Additionally, by salting hashes, we make rainbow attacks effectively obsolete ● Avoid reusing passwords ○ If an attacker cracks your password once, they can then obtain access to all of your accounts if you use the same password ● Adding two-factor authentication (2FA) can also secure systems ○ This way, even if an attacker cracks a password, they still won’t be able to get in ○ Even with 2FA, though, attackers can employ social engineering techniques to break into systems ● Educate users about security ○ Make sure users know not to give away their password to just anyone who says they’re from “IT,” not to click on suspicious emails, etc. 

References https://www.wired.com/2016/06/hacker-lexicon-password-hashing/ https://www.sciencedirect.com/topics/computer-science/hashing-algorithm https://en.wikipedia.org/wiki/MD5 https://security.blogoverflow.com/2013/09/about-secure-password-hashing/ https://www.passwordrandom.com/password-strength-checker https://en.wikipedia.org/wiki/Salt_(cryptography) https://en.wikipedia.org/wiki/Collision_(computer_science) https://auth0.com/blog/adding-salt-to-hashing-a-better-way-to-store-passwords/ https://www.kaspersky.com/resource-center/definitions/brute-force-attack https://support.microsoft.com/en-us/help/889768/how-to-compute-the-md5-or-sha-1-cryptographic-hash-valu es-for-a-file https://www.tutorialspoint.com/unix_commands/md5sum.htm