Introduction to password security

Before we dive deep into this about protecting passwords, hashing algorithms, and password cracking we need to first understand what is salting,

What is Salting?

In simple words salting is adding extra value to the password that is entered by the user let us understand this by example

The concept of salt is commonly used in password storage systems to enhance security. Here's how it works:

Generating a salt: When a user creates an account or sets a password, a random salt value is generated. The salt is typically a random string of bits with a fixed length, such as 64 or 128 bits. Each user's salt is unique.

Combining the salt and password: The salt is then concatenated (or otherwise combined) with the user's password before hashing. This means that even if two users have the same password, their hash values will differ because of the unique salts.

Hashing with the salt: The salted password is then passed through a hashing algorithm, such as SHA-256 or bcrypt, to produce the hash value.

Storing the salt and hash: The salt value is typically stored alongside the hash value in the password database. When a user attempts to log in, the stored salt is retrieved and used to hash the entered password. The resulting hash is then compared with the stored hash value

Step 2 - Hashing

What is hashing?

Hashing is known as taking input and converting it into a fixed length of string or characters using a cryptographic algorithm known as hash code or hash value.

Uses -

Password storage

Data integrity

Data indexing

So we know about what is hashing now let's discuss hashing algorithms

MD5 (Message Digest Algorithm 5): It is an outdated algorithm that produces a 128-bit hash value. However, it is considered weak for password storage due to its vulnerability to collision attacks.

SHA-1 (Secure Hash Algorithm 1): It is also considered weak for password storage due to vulnerability to collision attacks and should be avoided.

SHA-256 (Secure Hash Algorithm 256-bit): This is a widely used hashing algorithm that produces a 256-bit hash value. It is currently considered secure and is commonly used for password storage.

bcrypt: It is a password hashing function that is designed to be slow and computationally expensive. It is specifically designed to resist brute-force attacks and rainbow table attacks.

Argon2: It is a modern hashing algorithm that won the Password Hashing Competition in 2015. It is considered to be highly secure and resistant to various types of attacks.

Algorithms like SHA-256, bcrypt, and Argon2 is recommended for password protection because they provide a high level of security against a brute-force attack, rainbow table attack and any other vulnerabilities.

The hash value is calculated as

Hashed value = SHA256 (Password + Salt value)

In today's time organizations should use this method to protect passwords they are

Strong password requirements - Organizations should use strong passwords in order to protect passwords such as mandatory use of uppercase, lowercase, and symbols to make a strong password

Minimum length requirements - Organizations should set up minimum length requirements to set up a strong password they can use 8 to 12 minimum lengths of a password

Regular password expiration - In order to protect password organization should set up a minimum period for password expiration

Password salting - Generating a salt: When a user creates an account or sets a password, a random salt value is generated. The salt is typically a random string of bits with a fixed length, such as 64 or 128 bits. Each user's salt is unique. In simple words, it is a technique used to add a random number in the password to make it difficult for hacking

Enforce strong password policies - Implement strict password policies that require users to create strong and complex passwords enforce minimum length requirements a combination of uppercase and lowercase letters can also be used to make it strong.

Implement multifactor authentication - Implement multifactor authentication, especially for those who want to access sensitive data

Monitoring - Regular monitoring can be done to detect any suspicious activities

To change in the password policy to make breaking the password cracking harder I will make sure that I would not take any decision that can increase vulnerabilities I will take the following steps

1 Two-factor authentication - I will make sure that all users can have two-factor authentication TFA adds an extra layer of security

2 Educating the users - Educating the users about how your password can crack or how you can create a strong password will protect users from hacking

3 Minimum length - Will set up minimum length requirements for the password

4 Mandatory use of lower case and upper case letters

5 Update password policy - Regularly updating the password will protect you from hacking I will set up a maximum of days can one password so all the users can regularly update their password

As a result of the analysis the following uplifts are proposed to increase the overall level of password protection:

• Use a dedicated password hashing algorithm bcrypt, scrypt or PBKDF2 as this will greatly increase the time needed to crack individual passwords,

• Implement salting to prevent usage of rainbow tables to speed up cracking,

• Increase the minimum password length requirement to 10 characters – this will increase the computational effort required to crack password and will give additional time to change all passwords in the event of the password database being leaked,

• Prevent passwords to be the same as usernames or reused as part of the password – such password combination is easy to check without gaining access to the password database itself.

• It is advised to educate users on creating safe and easy to remember passwords. Having a password policy requiring long passwords with a number of special characters results in user writing passwords down or constantly resetting them. The best way to create a strong and user-friendly password is using passphrases (e.g. mygrannyschairhadstaples). The best way to create such passwords is to combine a couple of completely random word. It’s also advised to use some special characters and numbers as easy to remember substitutions to expand the key space (e.g. mYgranny$cha1rhadstaples)

• Educate users on the benefits of passwords managers. Having a password manager allows having very long and completely random passwords (e.g. M>?{tk6Cfep6BrZ4J)KZWQ8j) without the need to remember/write down. A strong passphrase is still required as a master key for to access the password manager.