A Brief Introduction to Password Security with Bcrypt - Part 1: Hashing

TL;DR

Understanding how hashing works will help you understand how to protect passwords and secrets within your applications. Hashing is not to be confused with encryption, where encryption allows for encoding and decoding of the input, hashing is a one way conversion. Password attempts are passed into a hash function and then resulting the message digest is compared against the original for a match.

Background

At my day job, I was asked to dig into our use of Bcrypt for the hashing of passwords. The goal was to identify opportunities that may exist for the organization to upgrade its password security measures. In this 3 part series, I attempt to simplify and consolidate a lot of the information I learned into a concise introduction to hashing, Bcrypt, and suggestions that could enhance password security within your applications.

What is Hashing?

Hashing is the conversion of data into a fixed length code using techniques that are difficult to reverse, commonly used in securing user passwords. The process of hashing works by taking an input (message), passing through a hash function, and results in a message digest. OWASP defines two key properties of hashing:

  1. It’s easy and practical to compute the hash, but “difficult or impossible to re-generate the original input if only the hash value is known.”
  2. It’s difficult to create an initial input that would match a specific desired output.

Hashing is not to be confused with encryption. Encryption algorithms convert data into a format known as ciphertext that can not be understood without a key. Hashing provides a safer means of storing passwords than encryption, because there is not the chance of decoding the password from the hashed text.

When hashing passwords, the original password is never stored or known to the application after the initial request. The message digest is stored in the database instead. In order to check if a password is correct, the password input from the user (message) is passed through the same hash function as the original password. The resulting two message digests are then compared for a match.

Hashing Algorithms

Many hashing algorithms exist today. Commonly used algorithms include MD5, SHA-1, SHA-256, and BCrypt. The SHA families of hashing functions, although popular, were designed to be computationally fast. The performance of the algorithm, which can be seen as a feature, is not optimal for password security. As hardware advances and processing power increases, the passwords then become less secure. The reason fot this lies in the means in which hackers are able to breach accounts from leaked message digests.

How Hashing Protects Against Attacks

Message digests are not reversible, thus hackers must run a dictionary of common passwords or password possibilities through the hash function to generate what is known as a rainbow table. A rainbow table is simply a record set of potential passwords and their resulting message digest. Leaked message digests are compared against the table of known message digests in order to find matching passwords. As compute power increases and becomes less expensive, it becomes more economical to generate rainbow tables with new password possibilities. Because these tables are time-consuming to generate, they are commonly shared on the internet.

One strategy to narrow down a large database of leaked passwords is to find matching hashed passwords, as those are likely common passwords, and check those against the rainbow table first. Methodologies exist, such as “salting” a hash, to help combat these techniques. Salting and future proofing against hardware advances make BCrypt, an industry standard, a great option for a hashing function. We discuss these features in more detail in part 2 of the series.

Summary

Understanding how hashing works will help you understand how to protect passwords and secrets within your applications. Hashing is not to be confused with encryption, where encryption allows for encoding and decoding of the input, hashing is a one way conversion. Password attempts are passed into a hash function and then resulting the message digest is compared against the original for a match.

In the next part, we discuss the Bcrypt hashing algorithm, and it’s features.


|