![\"Three](\"https:\/\/www.dogoodsoft.com\/blog\/wp-content\/uploads\/2017\/10\/1055-1.jpg\")
<\/p>\n<\/p>\n
One of the biggest concerns around managing the passwords of an organization\u2019s employees lies in how to store those passwords on a computer. <\/p>\n
Keeping every user\u2019s password in a plain text file, for example, is too risky. Even if there are no bugs to recklessly leak the passwords to the console, there\u2019s little to stop a disgruntled systems administrator taking a peek at the file for pleasure or profit. Another line of defense is needed.<\/p>\n
Let\u2019s hash it out<\/strong><\/p>\n Back in the 1970s, Unix systems began to \u2018hash\u2019 passwords instead of keeping them in plain text. A hash function is used to calculate a value (like a number) for each password or phrase, in such a way that, while the calculation itself may be easy, carrying out \u2018in reverse\u2019 \u2013 to find the original password \u2013 is hard.<\/p>\n By way of illustration, suppose we take an English word, and assign each letter a value: i.e. A=1, B=2, C=3 and so on. Each adjacent pair of letters in the word is then multiplied together, and added up. The \u201chash\u201d of the word is this total so, using this method, the word BEAD has a hash value of (BxE) (ExA) (AxD) = (2×5) (5×1) (1×4) = 19. FISH scores 377, LOWLY scores 1101, and so on.<\/p>\n Using this system, the password file would store a number for each user, rather than the password itself. Suppose, for example, the password file entry for me has the number 2017. When I log in, I type in my password, the computer carries out the calculation above and, if the result is 2017, it lets me in. If, however, the calculation results in another value, access is denied.<\/p>\n As all that\u2019s stored in the password file is the value 2017, and not my actual password, it means that if a hacker steals the entire contents of the file, there is still a puzzle to solve before they can log in as me. <\/p>\n Verbal attack<\/strong><\/p>\n Although hashed passwords may be more secure than plaintext, there still remains a problem. The aim of a dictionary attack is to obtain a list of all English words and calculate their hash values, one by one; if my word is in there, it will be found eventually. However, while this may sound like a painful amount of work, the point is that it won\u2019t just crack my password – it will crack every password. <\/p>\n An index is created in such an attack, which is then sorted by hash value, with individual words added to the index as their hash values are calculated: BAP goes on page 18, for example, BUN goes on 336, and CAT on page 23. \u2018Reversing\u2019 the hash function is then just a matter of looking up the word in the index \u2013 simply turn to page 2017 and you\u2019ll find my password.<\/p>\n During World War II, the cryptanalysts at Bletchley Park did literally that: they worked out every possible way in which the common German word \u2018eins\u2019 could be enciphered using the Enigma machine, and recorded the Enigma settings as they went. The results were then sorted alphabetically into the so-called \u2018eins catalogue\u2019 meaning that, if the codebreakers could guess which encrypted letters represented the plaintext \u2018eins\u2019, they were then able to simply rummage through a battered green filing cabinet and pull out the key.<\/p>\n Salt in the wound<\/strong><\/p>\n The next layer of defense against a dictionary attack is to use what\u2019s called salt. A random variation to the calculation is applied differently for each user\u2019s password in a salted hash scheme. One user could have A=17, B=5, C=13, and so on, for example, and another could have A=4, B=22, C=17. The password file would then store the salt (the A, B, C values) and the hash result. The computer could still carry out a quick calculation to check the password, but the variation means that the same password would have a different hash value for a different user.<\/p>\n It would therefore be impossible to compile a single dictionary that could successfully reverse the hash for everyone.<\/p>\n Finally, the best modern systems use a so-called iterated hash. The idea of this is to make the hash function itself harder to calculate by re-hashing the data thousands of times. This does slow down the computer checking the passwords, but anyone trying to search for a password will also be slowed by the same factor. The end result is essentially a computing power arms race between system administrators and hackers although, if you\u2019re Amazon or Microsoft, it\u2019s a fight you\u2019re well placed to win.<\/p>\n Protecting user passwords is critical to the security of an organization\u2019s confidential files and information. It\u2019s vital therefore that steps are taken to protect passwords, encrypting them to such a degree that even the most determined criminal will find it impossible to decipher.<\/p>\n","protected":false},"excerpt":{"rendered":" One of the biggest concerns around managing the passwords of an organization\u2019s employees lies in how to store those passwords on a computer. Keeping every user\u2019s password in a plain text file, for example, is too risky. Even if there are no bugs to recklessly leak the passwords to the console, there\u2019s little to stop … Continue reading Three Defenses to Solve the Problem of Storing Password<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[386,385,387],"class_list":["post-1055","post","type-post","status-publish","format-standard","hentry","category-news","tag-dictionary-attack","tag-hash","tag-password"],"_links":{"self":[{"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/posts\/1055","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/comments?post=1055"}],"version-history":[{"count":2,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/posts\/1055\/revisions"}],"predecessor-version":[{"id":1058,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/posts\/1055\/revisions\/1058"}],"wp:attachment":[{"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/media?parent=1055"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/categories?post=1055"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/tags?post=1055"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}