Talking a bit about hashing

Author: stimms

Blog 5.2 - Password Hashing.md

@@ -4,9 +4,13 @@ Storing passwords is always a tricky proposition. For a great number of sites th
 
 Authorization is the act of matching a user with a set of permissions. So I could be authenticated as Simon and authorized to edit bugs.
 
-When storing a password there are a couple of ways to do it - most all of them are wrong. Encryping passwords seems like a good idea at first but if the encrypted passwords are leaked, as seems to happen with alarming regularity, then an attacker could decrypt the passwords. This is a bad situation because many people reuse passwords from site to site. With a password and an e-mail address it is possible the attacker could log inot a banking website. This is the reason that it is recommended that you use distinct passwords for each website.
+When storing a password there are a couple of ways to do it - most all of them are wrong. Encryping passwords seems like a good idea at first but if the encrypted passwords are leaked, as seems to happen with alarming regularity, then an attacker could decrypt the passwords. This is a bad situation because many people reuse passwords from site to site. Not only do you put your own site at risk but also other sites. With a password and an e-mail address it is possible the attacker could log into a banking website or some other high impact site. This is the reason that it is recommended that people use distinct passwords for each website.
 
-Hashing passwords is a far better idea. A hash is a one-way function that cannot be reversed to reveal the password. When hashing it is important to hash not just the user's password but to combine it with a nonance. A nonance, sometimes erroniously called a salt, is a string of random characters that is appended to the unhashed password before hashing. This random string acts as protection from an attack using rainbow tables. A rainbow table is a large database that maps passwords with the hashes they generate. Many popular hashing algorithms have rainbow tables which permit near instantanious exploration of a large percentage of the key-space. Nonances invalidate this approach as the key in the rainbow table maps to the password + nonance. Without knowing the nonance an attacker is not able to enter any password that will work. The key in the rainbow table is unlikely to be the actual user password and more likley to be a string that simply hashes to the same value so it will not be obvious what the users's password is. 
+Hashing passwords is a far better idea. A hash is a one-way function that cannot be reversed to reveal the password. When hashing it is important to hash not just the user's password but to combine it with a nonance. A nonance, sometimes erroniously called a salt, is a string of random characters that is appended to the unhashed password before hashing. This random string acts as protection from an attack using rainbow tables. A rainbow table is a large database that maps passwords with the hashes they generate. Many popular hashing algorithms have rainbow tables which permit near instantanious exploration of a large percentage of the key-space. Nonances invalidate this approach as the key in the rainbow table maps to the password + nonance. Without knowing the nonance an attacker is not able to enter any password that will work. The key in the rainbow table is unlikely to be the actual user password and more likely to be a string that simply hashes to the same value so it will not be obvious what the users's password is.
+
+Even when hashing passwords we need to remain vigilent about the implementation. Many common hashing functions such as MD5 and SHA are designed to be as fast as possible. Their purpose is to give a checksum of a file so you know if the file is correct. For this application we want hashing large quantities of data to be as simple and fast as possible. The opposite is true of password hashing. We would like to take as substantial amount of time to avoid brute force attacks. A possible algorithm is the bcrypt algorithm. It is interesting as it is a tunable algorithym that can easily be made to take longer as computer resources get cheaper.
+
+How easy is it to break a password hashed with a low grade hashing function? Well famed hacker Kevin Mitnick give a hint:
 
 <blockquote class="twitter-tweet" data-partner="tweetdeck"><p>I love my new 4 GPU password cracker. Over 60 BILLION NTLM hashes a second. :-)&#10;Unfortunately, Md5crypt is much slower. I need to add cards.</p>&mdash; Kevin Mitnick (@kevinmitnick) <a href="https://twitter.com/kevinmitnick/status/519105934246051840">October 6, 2014</a></blockquote>
 <script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>