The hashing is a process that allows someone to ensure that their password is secure and cannot be recovered from hackers. Hashing algorithms are functions one-way. They take a code and convert it to one Constant fingerprint always long. The hashed code cannot be decrypted easily. Basically this process looks like her encryption. So if a hacker breaches a system, he won't be able to get it access in the code.
Many sites use this method to secure their users' passwords.
The procedure is as follows:
- Initially, the user creates an account.
- The password is then stored and stored in the database.
- When the user tries to log on to website, the hash of the entered code is compared to the cached code and if the same is true, the user is logged on to the site normally. Otherwise, a generic message appears saying that something went wrong credentials, without specifying whether the error was detected in the username or password to make it difficult for prospective hackers.
Attacks to "break" hashes
Brute Force and Dictionary attacks
A Brute Strength attack tries all possible character combinations, with a specific length. This means that at some point the code will definitely break. However, this is not an easy process. Even very small passwords can take thousands of years (literally) to break through Brute Force attack, since the hacker cannot know when to get the right combination of characters.
The Dictionary attacks they use a file containing common words, phrases or codes access, that may have been used by someone as a password. Hackers have access to databases that have 100.000 (or more) top passwords. The attack hashing on these passwords and compares the hash with the password it wants to crack. This is a faster method than Brute Force attack.
However, there is another process, known as "salting", which prevents these attacks more effectively.
The reason why the above attacks can be used and are effective is that hashing is always done the same way. We can do it the random hashing, by adding a random string to the passwords, called salt, BEFORE the hashing.
What to do and what not to do salting process:
Initially, what not to do:
- Not we have to use same salt for all passwords
- Not we have to use young in salt length
- Not we have to use strange double hashes (ex: hash (hash ('mypass')))
What do we have to do:
- We have to create random salt with the help of special programs (Cryptographically Secure Pseudo-Random Number Generator-CSPRNG)
- We need to create a new one Unique random salt for each password
- We have to create big in salt length
Η The salting process is as follows:
- First, we create a very large salt with the help of a CSPRNG
- Next, we add the salt to the code and then the hashing
- We store the salt and hash in the database
- Take the salt and hash from the base data
- Add salt to the submitted code and hashing
- Compare the hashes. If the same, the password is correct