Cryptography

1 Storing Passwords

passwords.jpg

Learn It

  • Passwords are an annoying but necessary security measure.
  • Sometimes passwords are used to authenticate you (prove you are who you say you are) and other times they are used as keys in encryption (like in the "bacon" example in the video on Vigenere Cipher).
  • Have you ever thought how password authentication works?
  • At a login form, you type in your username and password and the website can somehow check that the password you typed in is the correct one.
  • But how does it know?

Learn It

  • Have you ever forgotten your password to a website?

passwords2.png

  • Most websites have a link that you can click if you've forgotten your password.
  • One of two things then tends to happen…
    1. The website emails you your password
    2. The website emails you a link to reset your password.
  • You might find the latter option to be annoying, as you have to think up a new password, but if the site has emailed you back your password, that means they must have it stored somewhere as Plaintext.
  • It is a bad idea to store users' passwords in Plaintext. If a site gets hacked then the crackers will have access to everyone's password.
  • For this reason, websites tend not to store passwords. Instead your password is encrypted using a Cryptographic Hash Function.

Try It

  • We're going to use a simple but unsafe Hashing algorithm that could be used to check passwords.
  • Think of a password you might use for a website. It must only contain letters and numbers (no punctuation or spaces).
  • Write out your password on some paper or a text document.
  • e.g.
h0rs3batt3rystapl3
  • Underneath the password, write down the value for each letter with A = 0 and Z = 25, numbers retain their original value.
h 0 r  s  3 b a t  t  3 r  y  s  t  a p  l  3
7 0 17 18 3 1 0 19 19 3 17 24 18 19 0 15 11 3

-Next add up all the digits of the numbers

7+0+1+7+1+8+3+1+0+1+9+1+9+3+1+7+2+4+1+8+1+9+0+1+5+1+1+3
=95
  • Then keep adding the digits until you end up with a single digit number.
9+5
=14
1+4
=5
  • So the hash (by this method) of h0rs3batt3rystapl3 is 5

Learn It

  • Most websites store your hashed password. In the above example they would store a 5.
  • When you want to login, you type in your password and it is instantly hashed and then compared to the hash in the server's database.
  • It's very easy for the computer to check that h0rs3batt3rystapl3 is hashed to 5, but impossible for a cracker to reverse the 5 and figure out your password is h0rs3batt3rystapl3.

Try it

  • Write down the password and hash that you worked out in the Try it section above. Then find out the passwords and hashes for 5 of your friends and write them down as well.
User Password Hash
     
     
     
     
     
     
  • In your own words, why would it not be a good idea for a website to use the hashing algorithm we used above to hash passwords?

Learn It

  • So if the hashing algorithm we used above is poor, what's a better one?
  • Watch this video on storing passwords and answer the questions in the Badge It section below.

Badge It

  1. Why should passwords not be stored in plaintext?
  2. Give two reasons why should you not store passwords in an encrypted format?
  3. Why is it a poor idea to save password hints in a database.
  4. What's wrong with just hashing a password?
  5. What is a salt?
  6. You will be awarded silver or gold depending on the quality of your answer.

Learn It

  • Let's have a look at a pretty good hashing algorithm.
  • The MD5 hashing algorithm has been around for quite some time, but it is not advised that it be used to hash passwords as on modern hardware it can be cracked.
  • However, the MD5 hashing algorithm is good enough to see how hashing works.

Try It

  • So using the MD5 Hashing algorithm we can get what seems to be an irreversible hash of strings.
  • Let's try what Tom Scott suggests in the video though using the code in the Trinket below.
  • Input the common password 'qwerty123456'
  • Input "N" for not adding randomness
  • Now copy and paste the generated MD5 hash into a Google Search box and see what results you get back
  • Now try hashing the string "qwerty123456" again, but this time choose to add the random number (salt) to the end.
  • password0.2820163283196919 for instance produces 5c9b95def2914a66063f67ee0255e47e
  • Now try searching for the hash you produced on Google.
  • Hopefully you can now see why salting passwords is so important.

Badge It - Platinum

  • Use the MD5 hashing algorithm to find the unsalted hashes of some common passwords that people might use e.g qwerty
  • Identify hashes can be reversed with a simple Google search.
  • Use the examples you have generated along with what you have learned in this lesson to write up a document giving advice to users on why they should use strong and unique passwords on websites, and why their password hints should not be directly related to their password.