Password Hashing

Vít Koma 

Why Hashing

Problem:
What if an attacker steals a database with stored user accounts?

Solution:
Store passwords transformed with a one-way function.

Hash Functions

  • Map input to a fixed-length result
  • One-way functions
  • Collision resistant
  • Small change in input leads to a completely different result
  • Standardized: SHA-256, SHA-512, Whirlpool
    • Do not try to invent your own algorithm
    • Do not code your own implementation of a standard aglorithm

Why Salting

Problem:
Efficient attacks on hashes exist
  • Lookup tables
  • Reverse lookup tables
  • Rainbow tables

    • Solution:
    Randomize hash

    Salt

    = string concut with password before hashing

    • unique for every user
    • not too short
    • random 

    Resources

    en.wikipedia.org/wiki/Salt_(cryptography)
    crackstation.net/hashing-security.htm
    www.freerainbowtables.com/en/tables2
    www.coursera.org/course/crypto
    Made with Slides.com