Improved hashing algorithm

Post Reply

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
Gullanian Members Profile Find Members Posts Senior Member Joined: 04 January 2002 Location: England Status: Offline Points: 4373	Post Options Post Reply Quote Gullanian Report Post Thanks(0) Quote Reply Topic: Improved hashing algorithm Posted: 20 March 2011 at 8:06pm
	Looking at the login code and registration code for WWF, it appears the password hash is only the product of one round of hashing. If you re-hash the password multiple times, so it takes a significant fraction of a second to perform the hash, it makes brute forcing everyone's accounts password exponentially take longer. With one round of hashing, you could probably write a script to brute force one persons password within a matter of hours, if you rehash the brute force will take significantly longer. More reading: http://stackoverflow.com/questions/3566504/why-do-salts-make-dictionary-attacks-impossible

WebWiz-Bruce Members Profile Find Members Posts Admin Group Web Wiz Developer Joined: 03 September 2001 Location: Bournemouth Status: Offline Points: 9844	Post Options Post Reply Quote WebWiz-Bruce Report Post Thanks(0) Quote Reply Posted: 21 March 2011 at 7:46am
	The page you link to bases the theory on brute force hacking with a list of 10,000 common passwords. This means that it doesn't matter how many times you hash the password, if the users password is one of the 10,000 common passwords the brute for hack would still find the password anyway. You are also assuming that the database is left unsecured to allow the hacker to get access to the data to obtain the users salt value. Web Wiz Forums also uses CAPTCHA after 3 unsuccessful logins for an account to prevent brute force hacking, so the only way this brute force hack can be done is if the hacker has full access to the data in the database to run directly against the database and not through Web Wiz Forums. The hashing of passwords in the Web Wiz Forums database is only used to ensure that in most circumstances if someone gets hold of the database they can not see the users passwords. If a hacker with time on their hands gets hold of your database then you are screwed anyway, no matter how many times you hash passwords, which means the important thing is make sure your database is secure.
	Web Wiz Forums Hosting ASP.NET Web Hosting

Gullanian Members Profile Find Members Posts Senior Member Joined: 04 January 2002 Location: England Status: Offline Points: 4373	Post Options Post Reply Quote Gullanian Report Post Thanks(0) Quote Reply Posted: 21 March 2011 at 12:12pm
	Thanks for replying! I think you might of slightly misunderstood me though, assume that a database is compromised, along with the hashing algorithm, and along with all your user records. Pretty much everything, which is something that should probably be assumed when an attack has taken place. I think it's quite important to still protect peoples user names and password even in this circumstance, as quite often people use common user names/passwords across multiple web accounts, say for example Paypal, or a poker site. So if someone gained access to you database, either because they failed to set it up properly on the website, or because a rogue web host decided to copy it over, or the webmaster made an error at some point, or for any other reason, you have a breach which could potentially be damaging to users on other websites, without the users knowledge of the source of the compromise. Now assume the minimum password requirement was 5 chars, allowing any alphanumeric chars. The minimum search space is: 35^5 = ~52,000,000 possible passwords and lets say we want to crack all passwords < 8 chars: 35^7 = 64,000,000,000 possible passwords Now if I write a script to iterate through every combination of password, 64 billion of them, at a rate of 1 billion per second (conservative rate), it would take a maximum of 60 seconds for me to uncover a single users password. So a database with 5,000 users, I can brute force all their passwords within worst case 4 days, as long as all their passwords are <8 chars. I can then try logging in with their details across lots of different sites to see if I can gain access. If the password is stored rehashed, say 2,000 times, a brute force attack on a single users password would take worst case 34 hours to crack a single users password, it would then take worst case 20 years to crack everyone's passwords. It would render such an attack pretty difficult and unachievable/unworthwhile for most hackers. They could cherry pick users and spend 30 hours brute forcing the password but the majority of users will be safe. This way, if I operated a site and the database was exposed at some point, I would still alert users they should change their passwords, but I wouldn't send out a message saying it's VERY important they change their passwords as they are easily brute forceable. I'm acutely aware I haven't been on these forums for a long time, so I hope you aren't taking this as negative criticism, I'm fully aware that you are very security concious and have written WWF excellently, this is just a suggestion to improve security if ever a database was compromised, which I think is more likely to happen on freely distributed software. Edited by Gullanian - 21 March 2011 at 12:16pm

WebWiz-Bruce Members Profile Find Members Posts Admin Group Web Wiz Developer Joined: 03 September 2001 Location: Bournemouth Status: Offline Points: 9844	Post Options Post Reply Quote WebWiz-Bruce Report Post Thanks(0) Quote Reply Posted: 22 March 2011 at 12:44pm
	I can see where you are coming from, the problem with say hashing the password 2,000 times is that the hashing of passwords does take a considerable amount of resources. I ran some tests on a new Intel Xeon Quad Core Server to hash the password 2000 times and found that it timed out after 90 seconds, even changing it to hash 100 times took 20 seconds and topped out CPU Cores. This means that on the registration page where hashing takes place twice it would take 40 seconds to hash the password 100 times during registration which time the whole server would slow down due to high CPU utilisation. This means that both the person registering would get annoyed having to wait 40 seconds and the server admin would not be happy with the CPU resources used. With it taking 20 seconds to hash 100 passwords it works out at 5 per second rather than your estimate of 1 billion per second, which means that it would take around 416 years just to crack one password at 8 characters long. With version 10 there is also the option of the admin enabling complex passwords where the minimum length can be set along with them being case sensitive and alphanumerical, which would make passwords harder to crack. In 10 years there have been no issues of passwords being cracked and if you left your database compromised there is allot more data in there such as email addresses, names, etc. that would be more valuable and economic to use rather than trying to crack the passwords. Edited by WebWiz-Bruce - 23 March 2011 at 5:00pm
	Web Wiz Forums Hosting ASP.NET Web Hosting

Post Reply

Forum Jump

Forum Permissions View Drop Down

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum