Validating and authenticating is one of the major and more concerning parts of the software development process. As a developer, it’s your responsibility to make sure the sensitive user data are safe and is not vulnerable to any kind of attack causing it to breach and fall under the wrong hand.
Although storing such sensitive credentials correctly is highly critical, yet it is an area of which many developers fail.
In this article, I will talk about different ways you should AVOID and approach one can go through.
How not to store passwords?
The absolute easy and known method was storing credentials in plain text, which is one of the dumbest methods one can do. But, I believe people are now aware enough to know and avoid such. So, what next?
- Use of encryption
The first probable method could be adding encryption. A layer of security, in which a key is used to encrypt the credentials. The key locks the content and converts it into ciphertext. Later, to decrypt the content, the same key is used.
Here, until the key is available, the information stored inside is just a plain text. If the hacker by chance gets access to the keys, your information is no more private as it was supposed to be.
Now, what could be the next probable security approach?
With more advancement in the technology, new security concept evolved, known as “hashing”.
Technical Definition of Hashing
“Hashing is the technique of taking an input key created for storing narrative data, and representing it with a hash value, which is typically determined by an algorithm and constitutes a much shorter string than the original.”
What if some people have already done some good research to help attackers brute force the hash algorithms you have used?
Yes! There is something known as the “Rainbow Table” that already exists online. Most password cracking tools also come with the rainbow table.
What is the Rainbow Table?
It is simply a database that is used to gain authentication by cracking the password hash. It is a pre-computed dictionary of plain text passwords and their corresponding hash values that can be used to look out on what plain text passwords produces a particular hash.
So, if you are using very common hashing algorithms such as MD5 or SHA1 with nothing added, then the rainbow table will likely able to crack the password within a few seconds.
Even hashed passwords are not secure enough to be used! Now what?
- Salting during hashing
For all the times we thought hashing and encryption were the best practices to secure, we are now likely to be wrong. But don’t worry! You can add some salt to make hashing salty enough for hackers to digest.
What does adding salt mean?
A salt is random data that is concatenated with your password before sending it as the input of the hashing function.
Let us understand with a simple example If your password is pa$$w0rd and the salt is !ZaP0%!0#8, the result of hashFunction(‘pa$$w0rd!ZaP0%!0#8’) will be stored in the database instead of hashFunction(‘pa$$w0rd’).
Now, the hackers won’t be able to crack the hash values using the rainbow table. Since, you have added some sort of salt to the hash, which is a randomly generated value. The salt value will not be stored in the database and will only be present in the application configuration file which is not accessible to the outer world. To make it more stronger you can use unique, large, random salt values.
2. Slowing Cracking
The idea behind the slowing cracking approach is to iterate over a hashing function using the output of each iteration as the input for the next. Instead of simply using SHA1 to compute the hash once, you use it thousands of times. This concept is designed simply to double the number of iterations that will take attackers a longer time to crack it.
Conclusion: Highly critical information breaches are becoming a common occurrence on the internet with several large scale leaks happening daily. Every leak has revealed the poor practice many companies employ when storing critical information. However, there are several different approaches one can implement to push the attackers backward.