When someone tells you to “do the math,” they’re usually implying you should recognize an obvious truth by making connections between basic facts.
There’s another form of doing the math, however, where the end result is not clarity, but an indecipherable string of characters. In fact, using a password hash can play an integral role in keeping critical information secure.
What Is Password Hashing?
You probably already use a lot of applications and platforms that benefit from the concept of a password hash every day, but that doesn’t necessarily mean you understand how it works. This is a primer that won’t require you to be an expert mathematician to grasp the fundamentals.
Definition and purpose of password hashing
What is a hashed password? We read our passwords in what is known as plaintext, and password hashing involves using an algorithmic process to scramble those letters, numbers and symbols so they can’t be understood. This form of the password is sometimes called ciphertext, and it prevents login credentials from being accessible by third parties like cybercriminals.
Importance of password hashing in protecting user data
The database an organization uses to store passwords might be protected by some kind of authentication solution, but data breaches can and do happen. If bad actors are able to break into the database and the passwords are in plaintext, they can immediately use those credentials to log into applications and platforms to steal data and cause other sorts of damage.
How password hashing works
How to hash a password? Like this: after passwords have been created, they get run through a password hash algorithm that scrambles them and can even combine them with a unique value known as a salt. Depending on the level of protection you want, this process may be repeated multiple times.
A password hash can be of a fixed size to comply with your security policy. A good password hash is also deterministic, which means the output will always be of the same size no matter how large the input that was originally used. These outputs should be slow to compute, which makes life more difficult when attackers attempt to compromise an organization’s defenses.
Most importantly, a password hash should be resistant to reverse-engineering, whereby threat actors could somehow use the same process to see the original plaintext version.
Once the process ends, the completed password hash is shared with its intended recipient and stored in ciphertext form on a database.
Different Types of Hashing Algorithms
Computer scientists first started developing hashing algorithms in the late 1950s. They are not only used for securing passwords but functions like managing documents, files and digital signatures.
Overview of common hashing algorithms used in password hashing
Early examples of password hash algorithms include MD5, which appeared in the early 1990s and was widely adopted by a number of businesses. Over time however, research has suggested MD5 can be hacked into by cybercriminals and newer algorithms are recommended.
Bcrypt, Argon2, Scrypt, PBKDF2, and the Secure Hash Algorithm 2 (SHA-2) family such as SHA-256, are all among the other commonly used password hash algorithms. Whirlpool, developed in 2000, takes a block cipher-based approach to password hashing to deliver better performance.
Strengths and weaknesses of each hashing algorithm
There are pros and cons to every hashing algorithm, of course. Take Bcrypt, which runs slower (which is a good thing) than some earlier algorithms and can resist brute force attacks. On the other hand, it is not designed to encrypt large amounts of data, so it may not be the best choice in some scenarios.
Argon2 can be more resistant to cyberattacks involving parallel-processing and is highly adaptable. However, it can eat up a lot in terms of compute resources, which may not be ideal for smaller organizations without a lot of IT infrastructure. The same advantages and disadvantages have been said about Scrypt.
For blockchain-based applications, SHA-256 has developed a good reputation for keeping each block immutable. Its drawbacks include being computationally intensive as well, and some researchers have suggested it can be vulnerable to length extension attacks, where threat actors add padding to a known hash to compromise an organization’s security. PBKDF2 has won high marks for ease of implementation, but the fact it takes a small amount of RAM means hackers could theoretically create custom hardware to accelerate attempts at cracking it.
Considerations for choosing the right hashing algorithm
Part of the hash function selection process comes down to purpose. Some are better for looking up data quickly versus offering cryptographic protection.
The second factor to consider is the volume of data that will be put through the hashing process, and what your organization requires from a security and performance perspective.
As noted in the previous section, you’ll also want to weigh the amount of compute resources a particular algorithm will draw from your existing IT infrastructure.
Adding Salt to Password Hashing
Putting too much salt on food can be bad for your health, but when you’re talking about password hashing, you could almost say the more salt, the better.
Explanation of password salting and its role in enhancing security
Password salting accomplishes two important and common organizational objectives at the same time. It makes hashed passwords more difficult for cybercriminals to read, and it does so without having an adverse or even noticeable impact on the experience of people using their credentials to access their applications.
Benefits of using salt in password hashing
Adding salt to passwords in the hashing process makes them increasingly complex and therefore more secure. If you’ve ever heard IT security experts talk about a “defense in depth” strategy, password salting could be seen as adding some of those extra layers that keep rogue actors at bay.
In fact, salting could be a proactive approach to warding off what are known as hash table attacks (sometimes called rainbow tables), whereby threat actors try to put together a precomputed dictionary of plaintext passwords to crack open a database.
Best practices for implementing salted password hashing
You can maximize the benefits of salted passwords by storing the salt and the password in a separate location. You can also use a unique salt for every password and every user, taking the complexity one step further.
Using a cryptographically secure pseudo-random number generator can ease the process of adding salt to password hashing. Just avoid potential pitfalls like including usernames as hash values.
Securing Password Hashes in Storage
Salting is one way to store hashed passwords, but there are others that are worth exploring too, depending on your organization and its approach to risk.
Methods for securely storing password hashes
Some organizations have used a cryptographic authentication technique dubbed “Peppering,” where they follow the hashing process by applying a hash-based message authentication code (HMAC) to the salted password. This acts as a sort of key, and therefore the pepper should be stored separately.
Some will also try to strengthen the security of hashed passwords by upgrading what is known as the “work factor.” This refers to the number of times a hashing algorithm has been applied to the password.
In general, choosing a strong password hashing tool and keeping up with security updates are effective methods to protecting the databases where passwords are stored. For some organizations, multi-factor authentication (MFA) can act as an extra safeguard for critical databases.
Importance of protecting password hash databases
Though password hashing makes it nearly impossible for threat actors to understand or use login credentials, the databases in which they care stored should never be easy to access.
In some organizations a database may contain more than just passwords, which also calls for strong defenses against hackers and other cybercriminals. Think of your passwords as your organization’s gold – which should be stored in something as strong as a bank vault.
Encryption techniques for safeguarding stored password hashes
Much like password hashing, encryption is a way to render sensitive data useless to outsiders. The difference is that unlike hashing, which is a one-way exercise, encrypted data can be easily decrypted by those with the right keys.
Examples here include the Advanced Encryption Standard (AES), which breaks down data into blocks and handles them separately in multiple rounds of processing. AES-256 is considered the strongest version of the standard, while other forms of encryption, such as XChaCha20, are gaining momentum as well.
Cracking Password Hashes
Cybercriminals are nothing if not bold and persistent. Despite hashing’s effectiveness, there is an ongoing effort to try and compromise passwords processed through these algorithms.
Overview of common methods used to crack password hashes
A lot of the most common approaches to cracking password hashes involve some form of organized guesswork.
In dictionary attacks, for instance, threat actors will use compile or apply a list of commonly used passwords in the hopes one or more of them will match a correct login credential. Some hackers will buy stolen databases on the dark web and try using the passwords stored in them, otherwise known as credential stuffing attacks.
Brute-force attacks are even more comprehensive, whereby cybercriminals will use massive amounts of compute power to run through every character combination they can to break into an application or platform. Rule-based attacks, meanwhile, will focus on cracking passwords based on numbers, symbols, the characters’ case and the order of characters.
Then there are rainbow attacks, which were described in an earlier section of this post. Hackers don’t always limit themselves to just one of these approaches, though; hybrid attacks are those which mix and match various kinds of password-cracking techniques in order to save time and improve the odds of getting through.
Techniques for protecting against hash cracking attacks
Salting helps defend against most forms of dictionary attacks, credential stuffing and brute-force attacks, fortunately.
Putting additional obstacles in threat actors’ way can also improve your security posture. Introducing MFA, for instance, requires accessing a system not simply based on a password but an additional factor such as answering a security question or using a hardware key that will be physically carried by a legitimate user.
The role of password complexity and length in hash security
Password hashing works even better when it’s coupled with a strong password policy that is followed by all users.
The basics here include creating passwords that are long, complex and which are already difficult to guess by anyone else. Making sure that these passwords aren’t stored in plaintext on a user’s mobile device or in an unsecured drive will also go a long way towards avoiding challenging cybersecurity scenarios.
Benefits of Using a Password Manager Like LastPass
The reality for many organizations is that no one wants to have to put a lot of time creating, storing and managing passwords, especially when there are many different applications and systems that need to be accessed by a number of different people.
It’s an area where you want to lean on automation, which is where LastPass comes in.
How password managers simplify password management
Password managers like LastPass put an end to having to keep track of a list of passwords that unlock applications that employees and customers depend on every day to accomplish a wide range of functions.
Instead, LastPass is an example of a password manager with autofill capabilities that blend convenience and time-savings with the level of security that businesses require. The benefits here aren’t limited to a single device like your smartphone: cross-platform compatibility lets you sync your passwords across PCs, tablets or almost anywhere else you’ll use a web browser to log into an application or system.
Integration of password hashing in password managers
LastPass already uses industry-standard hashing and salting techniques, which means you don’t have to treat the process as a separate, discrete activity. Knowing your passwords are secure means you can spend more time focusing on the business issues that matter, rather than worrying about potential cybercriminal activity.
Additional security features offered by password managers
LastPass doesn’t only help generate and manage strong passwords. It also stores them in an encrypted vault where you can also put payment information, notes and other content.
A zero knowledge-based approach to the encrypted vault lets LastPass users rest assured that their data is visible to their eyes only. LastPass even monitors the dark web on a regular basis to provide notifications and alerts about potential security issues. This provides organizations with proactive control over how they protect their data, even as the threat landscape continues to change and attack techniques evolve.
Tired of trying to hash out password protection on your own? Start your LastPass trial today.
