Password Hash Security: Is it Possible?

TL;DR

No password hash is completely secure forever. However, using strong hashing algorithms with salting and key stretching makes them incredibly difficult to crack in practice. Regular updates to your hashing methods are essential as computing power increases.

Understanding Password Hashing

When you create a password, it shouldn’t be stored directly in a database. Instead, a one-way function called a hash is used. This turns the password into a fixed-size string of characters. The key benefits are:

• One-Way: You can’t easily get the original password back from the hash.
• Fixed Size: Regardless of your password length, the hash will always be the same size.

However, simple hashing is vulnerable to attacks like rainbow table attacks.

Why Password Hashes Aren’t Forever Secure

1. Increased Computing Power: As computers get faster, it becomes easier to try more password guesses.
2. Algorithm Weaknesses: New vulnerabilities in hashing algorithms are discovered over time.
3. Rainbow Tables & Pre-computed Attacks: Attackers can pre-calculate hashes for common passwords.

Making Password Hashes More Secure

Here’s how to significantly improve password hash security:

1. Use a Strong Hashing Algorithm

Avoid older algorithms like MD5 and SHA-1, which are known to be weak. Good choices include:

• bcrypt: A popular algorithm specifically designed for password hashing.
• scrypt: More memory intensive than bcrypt, making it harder to crack with custom hardware.
• Argon2: The current recommended choice; offers good resistance against GPU and ASIC attacks.

Example (Python using bcrypt):

import bcrypt

hash = bcrypt.hashpw(b'mysecretpassword', bcrypt.gensalt())
print(hash)

2. Salt Your Hashes

A salt is a random string added to each password before hashing. This prevents attackers from using pre-computed rainbow tables.

• Unique Salts: Each password must have a different, randomly generated salt.
• Store the Salt: Store the salt alongside the hash in your database.

The bcrypt example above automatically handles salting.

3. Key Stretching

Key stretching involves repeatedly hashing the password multiple times. This slows down attackers and makes brute-force attacks more difficult.

• Cost Factor: The number of iterations determines the cost factor. Higher cost factors increase security but also require more processing power.

bcrypt, scrypt, and Argon2 all incorporate key stretching.

4. Regular Updates

1. Algorithm Review: Stay informed about the latest vulnerabilities in hashing algorithms.
2. Cost Factor Adjustment: Increase the cost factor periodically as computing power increases.
3. Migration: If a vulnerability is discovered, migrate to a stronger algorithm.

Checking Passwords

When a user tries to log in:

1. Retrieve the salt from the database for that username.
2. Hash the entered password using the retrieved salt and the same hashing algorithm used during registration.
3. Compare the resulting hash with the stored hash. If they match, the password is correct.

Example (Python):

import bcrypt

hash_from_db = "$2b$12$EXAMPLEHASH"
password_attempt = b'mysecretpassword'

if bcrypt.checkpw(password_attempt, hash_from_db):
    print("Password matches!")
else:
    print("Incorrect password.")

Conclusion

While no password hash is 100% secure forever, using strong algorithms (bcrypt, scrypt, Argon2) with unique salts and key stretching significantly increases security. Regular updates are crucial to stay ahead of evolving threats in cyber security.