There are many ways where we can store application passwords securely. We can
use existing frameworks like membership provider in .Net and there are other 3
rd
party providers as well. We can use either encryption or hashing in this regard
but the most famous way of securing passwords is hashing.
First if all we need to understand that Hashing and Encryption are totally
different methods in cryptography. Bit confused eh ? ;) let me explain..
In Encryption what we are doing is we are using one or several keys to do
the encryption. So this is called symmetric encryption and normally it is a
reversible process.
But Hashing is a one-way process, ie : there is nothing called un-hashing.
Hashing using deterministic algorithms. We use our hashing algorithm to create
the hash with a the value we need to hash ( password ) and store them. So when
we need to do check the value again ( during login process as an example ) the hashing
algorithm generates the hash again with given password and check against the
saved value.
Normally hashing algorithms are not cracked. Instead, what attackers do is ,
they are using existing password list and generate hashes and compared vis
brute force. We can use tools such as
hash
cat for this process. Attackers using consumer hardware such as high end
GPUs to perform these kind of brute force cracks. If we take an example , the
VS2010 membership provider ( default using the SHA1 ) can be cracked up to 60%
within 15 mins.
Rainbow tables
Rainbow tables are pre compute hashes where we can use to compare rapidly
with breached accounts. Rainbow crack provides pre-configured rainbow tables to
download. But these files are huge. As an example , md5_ascii collection for
password length 1 to 8 is around 576GB.
How to secure hashing
Technically we cant secure hashing 100% . What we can do is, we can slow
down the cracking process hence it is taking much longer time to do the brute
force attack on it.
Using Salt
Salt is a sequence of random bytes which got appended with the value (
password ) we need to store securely. So the salt is also saved along with the hashed
password. This would eliminate the use of Rainbow tables up to some limit. But
if we have a salt rainbow table, still we can use the brute force but would
take much longer time to do the cracking.
Using hash algorithms which takes much longer time to compute
VS2012 using the PBKDF2( Password base key derivation function)
with HMAC-SHA. This hashing process iterates
1000 times in the crypto.cs class which comes with the VS2010. To compare this
with VS2010 method, this takes 10 days( with 1 GPU ) to crack with brute force
attack compared to 14 mins in VS2010. But still, it is a matter of time !
Use much stronger hashing algorithms
Instead of using standard hashing algos , we can switch to much stronger
hashing algorithms such as
BCrypt or Ztetic. Ztetic can be replaced .Net
membership provider with some configuration changes. Ztetic using 5000
computations of PBKDF2.