SCIM Provisioning: A Comprehensive Guide to Simplifying User Management
Discover how SCIM provisioning can streamline your user account management, improve security, and enhance productivity.
Learn more about password hashing and salting to better protect your users' passwords from malicious attacks.
In the 21st century, there have been quite a few data breach incidents, such as Yahoo in 2013, Adobe in 2013, Facebook in 2019, LinkedIn in 2021, etc. Businesses can no longer consider data security an afterthought as a single data breach incident can have dire consequences.Ā
Even though there have been some new and more secure authentication mechanisms, such as biometric authentication and OTP through WhatsApp or Telegram, for users to log into their apps or software, usernames and passwords are still the primary method of authentication. It is therefore important for businesses to securely store usersā passwords with different techniques, such as hashing and salting, to protect their personal information.
In this blog post, we will be introducing password hashing and salting, two fundamental yet essential techniques in the field of cryptography, and what kinds of attacks hashing and salting can mitigate.Ā
You can see that the resulting hash is quite different from the previous one.
The value that is stored in the database then is the hash not the actual password. Whenever a user logs into the software or app, the provided value will first be hashed and then checked with the hash stored in the database to verify the userās identity. In this way, even if hackers manage to obtain the hash, they cannot use it to log in.
As mentioned above, hash algorithms are one-way functions that convert a new string of characters with a fixed length. In the early days, Message Digest (MDx) algorithms, such as MD5, and Secure Hash Algorithms (SHA), such as SHA-1 and SHA-2, were used quite often to hash passwords. However, these were designed to be quick. You might wonder why that is an issue. Having a fast hash algorithm means that it takes less computational efforts for attackers to ādecryptā the hash. Furthermore, major players in the field have also identified some vulnerabilities in these algorithms and therefore advise against the adoption of MD5, SHA-1 and SHA-2 for password hashing. Although MD5 is no longer used for password hashing, it can still be used to verify data integrity.Ā
The Open Web Application Security Project (OWASP) has listed some hash algorithms designed for storing passwords such as Argon2id, bcrypt, and PBKDF2t.Ā
Argon2 is the hashing algorithm that won the 2015 Password Hashing Competition (PHC). It has three variations, namely Argon2d, Argon2i, and Argon2id.Ā Argon2id is a hybrid of Argon2i and Argon2id, allowing it to provide a more balanced approach to resisting both side-channel and GPU-based attacks.
The Argon2 algorithm can take a number of configurable parameters, such as memory, iterations, parallelism, salt length, and key length.Ā
Based on the Blowfish cipher, bcrypt was designed by Niels Provos and David MaziĆØres in 1999. To better protect passwords from different attacks, bcrypt incorporates salting, which will be discussed later, into the process and allows the interaction count to be increased, making it slower and requiring more computational power from the attackers.Ā
Password-Based Key Derivation Function 2 (PBKDF2) is recommended by National Institute of Standards and Technology (NIST) and also has higher computational cost compared to the other algorithms. It also has FIPS-140 validated implementation, making it the preferred algorithm when these are mandated.Ā
You can check the Password Storage Cheat Sheet to check some best practices of hash algorithms.
Even though there is no way for hackers to retrieve passwords from the hashes. There are still a few ways for them to crack the code.Ā
Hackers can try a brute-force attack by running random passwords through the hash function until they finally find a match. This is rather inefficient since the hash algorithms designed for securely storing passwords are designed to be slow, making the entire process tedious and long. Nonetheless, hackers will eventually manage to crack the code with sufficient time.Ā
An alternative will be the rainbow table attack. A rainbow table is essentially a huge database with precomputed hash outputs. Once the hackers gain access to the hash database, they can then execute the rainbow table attack by checking if the stolen hashes match any precomputed hash stored in the rainbow table.
In order to increase the complexity of password security and protect usersā passwords from the attacks mentioned above, an additional step called password salting is taken.
You might wonder if you are reading a hash brown recipe as we are now talking about salting a hash; however, salting a hash, in the field of cryptography, actually means to add an additional string of 32 or more characters to the password before it gets hashed. These strings of data are called salts. Password salting helps developers increase password complexity without affecting user experience. It is important to note that salts should be randomly generated by cryptographically secure functions since adding salts that are quite predictable is actually moot.
How does that make the hash more unique? Letās demonstrate it with an example.
As you can see, their salted hash outputs are quite different even though they share the same password. This makes it very hard for hackers to guess the original password using a rainbow table. It is important to note that each userās password should have its own unique salt; otherwise, the salting process simply makes the password longer without impeding hackersā attacks.
With an additional step of salting, the authentication process will be a little bit different. In practice, the salt, the hash, and the username are usually stored together. When someone logs into the software or app, the system will then:
Note that most modern hash algorithms, such as bcrypt and Argon2id, salt the password before they get hashed to protect passwords from hash table attacks and slow down dictionary and brute-force attacks.
Salting hashes best practices
There are many ways one can store passwords incorrectly. For example, do you know that besides picking the right hashing algorithm, a common recommended best practices of prehashing password with SHA256 then bcrypt is actually a security issue?
With Authgear, your usersā passwords will be well secured by industry-standard mechanisms.
Authgear uses Argon2id to salt and hash users' passwords. Moreover, your app will also be equipped with all the security features you need to provide not only better security but also smoother user experience to gain a competitive advantage.Ā
Contact us now to see how Authgear can help you increase user conversion rate, reduce cost, and provide better user experience.Ā