Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Salting your Hashes: Modern Password Storage

Tom Webster
December 12, 2013
Technology
0
250

Salting your Hashes: Modern Password Storage

Just a quick presentation for the Ohio InfoSec Forum holiday meeting.

Writing a web app? Storing user passwords? Don't ever store them in plain text, you already know this. But do you know how to securely hash them? Here's a very basic look at salted hashes and how they improve security.

Tom Webster

December 12, 2013
Tweet

More Decks by Tom Webster

See All by Tom Webster
Securing XMPP
samurailink3
0
210
pfSense Basics
samurailink3
0
240
The Accuracy of Mr Robot
samurailink3
0
430
Wifi Grenade
samurailink3
0
2.6k
2 Factor: General Discussion
samurailink3
0
320
Modern Times: Passwords
samurailink3
0
330
Hacking People: No Mask Required
samurailink3
0
370
Making Security Shiny
samurailink3
0
480

Other Decks in Technology

See All in Technology
require(ESM)とECMAScript仕様
uhyo
3
830
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
2.1k
GraphQL 成熟度モデルの紹介と、プロダクトに当てはめた事例 / GraphQL maturity model
mh4gf
7
1.4k
APIファーストなプロダクトマネジメントの実践 〜SaaSus Platformでの例〜 / "Practicing API-First Product Management - An Example with SaaSus Platform
oztick139
0
110
チームでロジカルシンキングに改めて向き合っている話 〜学習環境と実践⽅法〜
sansantech
PRO
3
2.9k
Building a RAG-powered AI chat app with Python and VS Code
pamelafox
0
110
競技としてのKaggle、役に立つKaggle
yu4u
5
2k
ルーターでプレゼンする
puhitaku
0
690
ServiceNow Knowledge Learning Rise up
manarobot
0
210
今日からできる!簡単 .NET 高速化 Tips -2024 edition-
xin9le
3
750
Delivering Millions of Messages within seconds @ Duolingo
pelelgrino
0
350
ChatworkのSRE部って実は 半分くらいPlatform Engineering部かもしれない
saramune
0
160

Featured

See All Featured
[RailsConf 2023] Rails as a piece of cake
palkan
23
4k
Clear Off the Table
cherdarchuk
84
310k
Designing Experiences People Love
moore
136
23k
We Have a Design System, Now What?
morganepeng
43
6.8k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
The Straight Up "How To Draw Better" Workshop
denniskardys
227
130k
Build The Right Thing And Hit Your Dates
maggiecrowley
24
2k
Navigating Team Friction
lara
178
13k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
Building Better People: How to give real-time feedback that sticks.
wjessup
355
18k
Fireside Chat
paigeccino
21
2.6k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
221
21k

Transcript

  1. Salting your Hashes Modern Password Storage

  2. Hashing Passwords (md5) Password1 = b1345a0ce47f743bc94c5e32cf547ac0 Passward1 = cac53f4007216840391e744dc29ebfd7 Don't

    use MD5, it's broken, and a very bad choice for secure hashing (it's too fast, fast is bad for password hashing). It's only used to show an example. tl;dr: Don't use MD5, use bcrypt or PBKDF2.

  3. Cracking MD5 MD5 hashes are trivial to crack with modern

    graphics cards. Even worse, your hash can be looked up with Rainbow Tables in a matter of seconds. Hashing alone is very insecure. God forbid you actually store passwords in plain text…..

  4. Salt? If just one character can change an entire hash,

    adding random junk can make cracking and rainbow tables harder to use. Salt is that random junk. SALT=`cat /dev/urandom | tr -dc 'a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?='| head -c 16` echo "$SALT.Password1" | md5sum The SALT variable is set to 16 characters of random junk, then fed into the hash of the password. Changing it. You must store the SALT!

  5. Storing Password Hashes Wrong Right Table: Users Username Salt SecureHash

    alice Jothuh6AeZo hw8ai 6cf73117b15 bea56e3f35e e2c59727f5 bob Jothuh6AeZo hw8ai 6cf73117b15 bea56e3f35e e2c59727f5 Table: Users Username Salt SecureHash alice Jothuh6AeZo hw8ai 6cf73117b15 bea56e3f35e e2c59727f5 bob ooTaez6ohP ee3eeg 167f722da71 78afb8aeaf7 a3de997a21 Don't use the same salt across users! Both users in this example are using the same password, using different salts will prevent one successful crack from affecting other users.

  6. Hashes also help prevent Brute Force DB Cracking! Simply by

    increasing length: Normal password = Password1 9 Characters Hashed password = Jothuh6AeZohw8ai.Password1 26 Characters

  7. The Easy Way Just use bcrypt to store your passwords!

    • Slow enough to be secure (GPUs won't help you much) • Salt is built right in! No need to make your own! • It's deemed to be cryptographically secure and is highly regarded by cryptographers all over the world.