Hashing passwords … How much security we can guarantee ??

There are many ways where we can store application passwords securely. We can use existing frameworks like membership provider in .Net and there are other 3^rd party providers as well. We can use either encryption or hashing in this regard but the most famous way of securing passwords is hashing.

First if all we need to understand that Hashing and Encryption are totally different methods in cryptography. Bit confused eh ? ;) let me explain..

In Encryption what we are doing is we are using one or several keys to do the encryption. So this is called symmetric encryption and normally it is a reversible process.

But Hashing is a one-way process, ie : there is nothing called un-hashing. Hashing using deterministic algorithms. We use our hashing algorithm to create the hash with a the value we need to hash ( password ) and store them. So when we need to do check the value again ( during login process as an example ) the hashing algorithm generates the hash again with given password and check against the saved value.

Normally hashing algorithms are not cracked. Instead, what attackers do is , they are using existing password list and generate hashes and compared vis brute force. We can use tools such as hash cat for this process. Attackers using consumer hardware such as high end GPUs to perform these kind of brute force cracks. If we take an example , the VS2010 membership provider ( default using the SHA1 ) can be cracked up to 60% within 15 mins.

Rainbow tables

Rainbow tables are pre compute hashes where we can use to compare rapidly with breached accounts. Rainbow crack provides pre-configured rainbow tables to download. But these files are huge. As an example , md5_ascii collection for password length 1 to 8 is around 576GB.

 How to secure hashing

Technically we cant secure hashing 100% . What we can do is, we can slow down the cracking process hence it is taking much longer time to do the brute force attack on it.

Using Salt 

Salt is a sequence of random bytes which got appended with the value ( password ) we need to store securely. So the salt is also saved along with the hashed password. This would eliminate the use of Rainbow tables up to some limit. But if we have a salt rainbow table, still we can use the brute force but would take much longer time to do the cracking.
 

Using hash algorithms which takes much longer time to compute

VS2012 using the PBKDF2( Password base key derivation function)  with HMAC-SHA. This hashing process iterates 1000 times in the crypto.cs class which comes with the VS2010. To compare this with VS2010 method, this takes 10 days( with 1 GPU ) to crack with brute force attack compared to 14 mins in VS2010. But still, it is a matter of time !

Use much stronger hashing algorithms

Instead of using standard hashing algos , we can switch to much stronger hashing algorithms such as BCrypt or Ztetic. Ztetic can be replaced .Net membership provider with some configuration changes. Ztetic using 5000 computations of PBKDF2.