Tuesday, September 28, 2010

Are you storing “strong” passwords real strong?

Confused with the above line? Well, have seen many applications which ask users to enter strong password which includes special character and numeric or combination etc. But while storing the password most of the time we convert the password text to hash which is known to be a secure way to store. This approach may be secure in last centuries not any more.  Check out http://en.wikipedia.org/wiki/Rainbow_table the mapping function from hash strings to any possible combinations of keyboard characters (alphanumeric, punctuations, etc.) have rendered this password storage / validation method insecure

Check this post http://www.codinghorror.com/blog/2007/09/rainbow-hash-cracking.html it says “The multi-platform password cracker Ophcrack is incredibly fast. How fast? It can crack the password "Fgpyyih804423" in 160 seconds

How do we strengthen storing password?

Simply provide a random salt while hashing password. Also iterate through many loops which requires extra computing burden to match the password. Normally keep the iteration count to 1000.

Here is how we can achieve that in C#  

using (Rfc2898DeriveBytes derivedBytes = new Rfc2898DeriveBytes(input, salt, hashIterations))
                byte[] hash = derivedBytes.GetBytes(desiredHashBitSize / 8);
                return hash;

No comments:

Post a Comment