Password Hashing
Vít Koma
Why Hashing
Problem:
What if an attacker steals a database with stored user accounts?
Solution:
Store passwords transformed with a one-way function.
Hash Functions
Map input to a fixed-length result
One-way functions
Collision resistant
Small change in input leads to a completely different result
Standardized: SHA-256, SHA-512, Whirlpool
Do not try to invent your own algorithm
Do not code your own implementation of a standard aglorithm
Why Salting
Problem:
Efficient attacks on hashes exist
Lookup tables
Reverse lookup tables
Rainbow tables
Solution:
Randomize hash
Salt
= string concut with password before hashing
unique for every user
not too short
random
Resources
en.wikipedia.org/wiki/Salt_(cryptography)
crackstation.net/hashing-security.htm
www.freerainbowtables.com/en/tables2
www.coursera.org/course/crypto
Made with Slides.com