Password hashing
1 / 19

Password Hashing - PowerPoint PPT Presentation

  • Uploaded on

Password Hashing. Dan Johnson. What is a hashing function?. Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length string as its output Hashes are sometimes called a checksum or message digests. Cryptographic hashing functions.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Password Hashing' - arwen

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Password hashing

Password Hashing

Dan Johnson

What is a hashing function
What is a hashing function?

  • Fingerprint for a given piece of data

  • Typically generated by a mathematical algorithm

  • Produces a fixed length string as its output

  • Hashes are sometimes called a checksum or message digests

Cryptographic hashing functions
Cryptographic hashing functions

  • Have four major properties:

    • It is impossible for any given output to determine the original input.

      • This does not mean we can’t use inference to find input that is likely correct

    • It is easy to compute the hash of any given input.

      • Easy means that it does not require a lot of system resources or time to compute the hash of a given input.


  • It is infeasible to determine two inputs that produce the same output.

  • It is infeasible to change an input and produce the same output.

    • Infeasible means that a solution cannot be found in less time than by brute force.

Cryptographic strength
Cryptographic Strength

  • Determined by output length and ability to resist cryptanalytic attack

  • Output length expressed in number of bits

  • Attacks attempt to break one of the cryptographic properties.

Preimage attacks
Preimage Attacks

  • Two types, “first-preimage” and “second-preimage”

  • Both attempt to break the one way property of the hashing function

  • Both are similar in nature

  • If a hashing function is vulnerable to one form of preimage attack, it is likely vulnerable to the other form of attack

  • Successful attack executes in less that brute force time

Collision attack
Collision Attack

  • A collision occurs when two pieces of input produce the same output.

  • Collision attacks take advantage of a property of probability theory called the birthday paradox or birthday problem.

  • Collision attacks attempt to find a collision in less than O(2n/2)


  • Published by Ronald Rivest in 1994.

  • Produces 128-bit output, represented by 32bit hexadecimal number.

  • Vulnerable to collision attacks.

  • Now mostly used for creating checksums of large files.

Sha 1

  • Created by the National Security Agency

  • Creates a 160-bit message digest represented by a 20 character string

  • More secure than MD5

  • Widely popular and used in many applications

  • In 2005, a group of Chinese researches discovered mathematical errors that could lead to a preimage attack in less than brute force time.

  • No known attacks based on these findings have surfaced.

Sha 256

  • Also created by NSA as a part of the SHA2 family which includes SHA224, SHA256 and SHA512.

  • Creates a 256bit output, hence its name.

  • Considered to be more secure than SHA1 because of increased bit size.

  • Mathematical problems found in SHA1 are not present in SHA256.

  • Less popular than SHA1.

Hash based authentication
Hash Based Authentication

  • Works the same way as password authentication

  • Store hashed value of password in database instead of password itself

  • When a user attempts to authenticate, hashes input value and compares it with value stored in database

  • “password” => [ᆰaäɹ??ツ%lø3~æマØ

Example implementation
Example implementation

  • Consider the following PHP code snippet.

  • From this we can clearly see that adding hash based authentication does not add a much code.

What an attacker sees
What an attacker sees…

  • Without encryption:

  • With just SHA-1 encryption:


  • Can this be improved?

  • Better solution: sha1( username + password)

  • Even better solution:

  • sha1( sha1(username) + sha1(password) )

Microsoft store india
Microsoft Store India

  • Earlier this year, the Microsoft Store web site for India was breached.

  • Attackers stole hundreds of thousands of usernames and passwords.

  • All passwords were stored in plaintext.

  • Credit Card information was also not encrypted in any from.

  • Many users had their identity compromised and fraudulent purchases charged to their credit card.


  • Playstation Network and Sony Pictures customer databases were both breached in 2011.

  • Credit card information was encrypted, but several reports indicate that encryption may have been compromised.

  • User data was not encrypted in any way.

  • Class action lawsuit filed over negligence.

Other protection methods
Other protection methods

  • Hashing not good for everything.

  • Credit card information could be stored using symmetric key encryption.

  • This allows for the input to be determined at a later date.



  • Agarwal, A. (2012, February 27). Not just email addresses, credit card numbers also stolen from microsoftindia store. Retrieved from

  • Gallagher, S. (2012, February 14). Microsoft's store site in india defaced; hackers find plain text passwords. Retrieved from

  • McGlinn, J. (2005, March 20). Password hashing. Retrieved from

  • Silva, J. (2003). An overview of cryptographic hash functions and their uses. Retrieved from

  • Schneier, B., & Hoffman, P. (2005). attacks on cryptographic hashes in internet protocols. Retrieved from

  • Schwartz, M. (2011, June 3). Sony hacked again, 1 million passwords exposed. Retrieved from

  • Stallings, W., Brown, L., & Howard, M. (2008). Computer security, principles and practice. Upper Sadddle River, NJ: Pearson Education.

  • Ullrich, J. (2011, June 28). Hashing passwords. Retrieved from