3. Why do I need a password anyway? Personal Computers
If someone else gains access to your account, they may cause you
a great deal of trouble
●
Deleting your files
●
Using it to hack other systems,
●
Forging e-mail purporting to come from you
4. Why do I need a password anyway?
(Web Scenario)
●
Identifying Users
●
Authenticating users for specific areas
●
Securing user specific data from other users.
5. Password on the web - The Problem
●
If you have something that is accessible on the web, it
can be retrieved.
6. Lets try to hack a site for Passwords
●
SQL Injection Demo
7. What should be done?
●
Storing passwords in such a way that even if users
somehow get hold of password hashes they should not
be able to extract the passwords out of them.
8. Storing Passwords as Plain Text
●
●
●
There is no security at all
Anyone who has access to the database can easily get to
know the password of all the users.
Even a small part of application that is prone to Sql
injection can reveal the password of all the users.
9. Storing Encrypted Passwords
●
The good
This approach is better than storing the passwords in plain
text.
●
The Bad
If someone knows the encryption algorithm and the secret key
that was used for encryption then he could decrypt the
passwords easily
10. What is Hashing
●
●
Hashing is the process of generating a number or a
unique string for a larger string message.
The hash for every string message should be unique and
there is no way the original message can be reproduced
from its hash value.
11. Storing Password Hashes – The Good
●
●
●
So the even better approach would be to store the
password hashes in the table.
This way there is no way to regenerate the password
from the hash.
Whenever the user tries to log in, we will generate the
hash for the password using the same hashing algorithm
and then compare it with the hash stored in the database
to check whether the password is correct or not.
12. Storing Password Hashes – The Bad
The problem here is that the user1 and user4
choose the same password and thus their
generated password hash is also same.
13. Could we not device a
technique which will store
provide us all the benefits
of hashing and will also
remove the limitations
associated with it?
14. Salting and Hashing of Passwords
●
●
Salting is a technique in which we add a random string to
the user entered password and then hash the resulting
string.
Even if two people have chosen the same password, the
salt for them will be different.
15. Lets visualize it
Even though the user1 and user4 has chosen same
password their salt value is different and thus the
resultant hash value is also different.
16. User Creation Process
1. User enters a password.
2. A random salt value is generated for the user.
3. The salt value is added to the password and a final string
is generated.
4. The hash for the final string is calculated.
5. The hash and the salt is stored in the database for this
user.
17. User tries to log in
1. User enters his user id.
2. The user is used to retrieve the users password hash and salt
stored in the database.
3. The user enters his password.
4. The retrieved salt is added to this password and a final string is
generated.
5. The hash for the final string is calculated.
6. This calculated hash is compared with the hash value retrieved
from the database.
7. If it matches the password is correct otherwise not.