Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Salting your Hashes: Modern Password Storage

Tom Webster
December 12, 2013
Technology
0
260

Salting your Hashes: Modern Password Storage

Just a quick presentation for the Ohio InfoSec Forum holiday meeting.

Writing a web app? Storing user passwords? Don't ever store them in plain text, you already know this. But do you know how to securely hash them? Here's a very basic look at salted hashes and how they improve security.

Tom Webster

December 12, 2013
Tweet

More Decks by Tom Webster

See All by Tom Webster
Securing XMPP
samurailink3
0
230
pfSense Basics
samurailink3
0
250
The Accuracy of Mr Robot
samurailink3
0
430
Wifi Grenade
samurailink3
0
2.7k
2 Factor: General Discussion
samurailink3
0
330
Modern Times: Passwords
samurailink3
0
340
Hacking People: No Mask Required
samurailink3
0
380
Making Security Shiny
samurailink3
0
490

Other Decks in Technology

See All in Technology
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.8k
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
180
適材適所の技術選定 〜GraphQL・REST API・tRPC〜 / Optimal Technology Selection
kakehashi
1
610
AIチャットボット開発への生成AI活用
ryomrt
0
170
iOS/Androidで同じUI体験をネ イティブで作成する際に気をつ けたい落とし穴
fumiyasac0921
1
110
サイバーセキュリティと認知バイアス:対策の隙を埋める心理学的アプローチ
shumei_ito
0
390
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
9
1k
TanStack Routerに移行するのかい しないのかい、どっちなんだい! / Are you going to migrate to TanStack Router or not? Which one is it?
kaminashi
0
590
Incident Response Practices: Waroom's Features and Future Challenges
rrreeeyyy
0
160
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
210
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k

Featured

See All Featured
Making the Leap to Tech Lead
cromwellryan
133
8.9k
How STYLIGHT went responsive
nonsquared
95
5.2k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Fireside Chat
paigeccino
34
3k
Imperfection Machines: The Place of Print at Facebook
scottboms
265
13k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Gamification - CAS2011
davidbonilla
80
5k

Transcript

  1. Salting your Hashes Modern Password Storage

  2. Hashing Passwords (md5) Password1 = b1345a0ce47f743bc94c5e32cf547ac0 Passward1 = cac53f4007216840391e744dc29ebfd7 Don't

    use MD5, it's broken, and a very bad choice for secure hashing (it's too fast, fast is bad for password hashing). It's only used to show an example. tl;dr: Don't use MD5, use bcrypt or PBKDF2.

  3. Cracking MD5 MD5 hashes are trivial to crack with modern

    graphics cards. Even worse, your hash can be looked up with Rainbow Tables in a matter of seconds. Hashing alone is very insecure. God forbid you actually store passwords in plain text…..

  4. Salt? If just one character can change an entire hash,

    adding random junk can make cracking and rainbow tables harder to use. Salt is that random junk. SALT=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='| head -c 16` echo "$SALT.Password1" | md5sum The SALT variable is set to 16 characters of random junk, then fed into the hash of the password. Changing it. You must store the SALT!

  5. Storing Password Hashes Wrong Right Table: Users Username Salt SecureHash

    alice Jothuh6AeZo hw8ai 6cf73117b15 bea56e3f35e e2c59727f5 bob Jothuh6AeZo hw8ai 6cf73117b15 bea56e3f35e e2c59727f5 Table: Users Username Salt SecureHash alice Jothuh6AeZo hw8ai 6cf73117b15 bea56e3f35e e2c59727f5 bob ooTaez6ohP ee3eeg 167f722da71 78afb8aeaf7 a3de997a21 Don't use the same salt across users! Both users in this example are using the same password, using different salts will prevent one successful crack from affecting other users.

  6. Hashes also help prevent Brute Force DB Cracking! Simply by

    increasing length: Normal password = Password1 9 Characters Hashed password = Jothuh6AeZohw8ai.Password1 26 Characters

  7. The Easy Way Just use bcrypt to store your passwords!

    • Slow enough to be secure (GPUs won't help you much) • Salt is built right in! No need to make your own! • It's deemed to be cryptographically secure and is highly regarded by cryptographers all over the world.