How Programmers Should Secure Passwords

Categories: Technology |


PASSWORD1
Sometimes when we examine a web site we find passwords in plain text. It goes without saying that programmers should never keep their passwords in plain text in the database. There are many ways to get the administrator credentials of a web site, for example via SQL injection (SQLi).

Others have used used cryptographic techniques such as MD5 or SHA-1. But simply using MD5 or SHA-1 is no longer sufficient, and programmers need to become more aware of the attacks they face.

To prevent these attacks we need to generate secure passwords. In case someone is able to get the hash, it makes it extremely hard or impossible to decode. This way, each password we generate will be totally different to the rest, and the only possible way to find it out would be to get access to the algorithm in order to generate it.

What is a Hash and how can it help you create secure passwords?

A hash is a text chain that you can obtain by applying a mathematical or algorithmic process with the objective of transforming that text into a new chain which is completely understandable. Once you’ve obtained the hash, it’s difficult to go back to the original text without knowing the process applied to obtain it.

MD5 and SHA-1 are the most commonly-used hashes. But their popularity has the disadvantage that there are many ways to decode them by force or dictionary attack, in order to get back to the plain text.

Some basic rules to generate a secure password are:

  • Always use a seed or salt.
  • The seed must be the most random possible.
  • Use a different seed for each password.
  • Do not store the seed

Why you need to use a Salt

The objective of Salt is to generate a random string and add it to the password. This way, the password will be longer and more complex to decode.

Rainbow Table attacks only work when the passwords have been hashed with the same Salt. If we do this, using the same Salt for all our passwords, we raise the chances of them being hacked.

To generate random Salts in PHP, the best way is using mcrypt_create_iv o openssl_random_pseudo_bytes functions. Let’s see an example of how to use them:

<!--?php $user = $_POST['user']; $pass = $_POST['pass']; $salt = str_replace('=', '.', base64_encode(mcrypt_create_iv(20))); $hash = hash_hmac('SHA512', $pass, $salt); var_dump($hash); ?-->

Basically, the code receives a password for POST. Then we generate a Salt and we add it to the user’s password. Finally, we can encrypt it with SHA512.

Following these steps you can make a password as secure as possible. However, keep in mind that there is no such thing as something 100% secure. Nowadays there are machines whose only use is to break passwords, so I advise adding iteration to the code:

<!--?php function hash_password($password, $salt) { $hash = hash_hmac('SHA512', $pass, $salt); for ($i = 0; $i &lt; 5000; $i++) { $hash = hash_hmac('SHA512', $hash, $salt); } return $hash; } $user = $_POST['user']; $pass = $_POST['pass']; $salt = str_replace('=', '.', base64_encode(mcrypt_create_iv(20))); $hash = hash_password($pass, $salt); var_dump($hash); ?-->

These 5000 iterations in the code will help secure the password. With these algorithms we can obtain a medium level of security at the time of saving our passwords. I hope I’ve been clear in my explanation but in case you have any doubt, please do not hesitate on leaving a question in the comments, and I’ll do my best to answer it.

Leave a comment