Insecure hash

Well, what is a hash? Hashing refers to taking some input value, usually a password, and then producing a fixed length "fingerprint" from it. Unlike encryption where the original message can be retrieved, there is no (algorithmic) way of reversing a hash back to its original value.

An insecure hash vulnerability is a failure related to cryptography. Cryptography being the way we encrypt or hash data. By having an insecure hash there is a high chance that your data will be exposed. Something we don’t want as a business or as a customer!

As computing power is steadily increasing, hashes might get weak to brute force attacks. Let’s face it, computers are fast and there is a real possibility of an attacker using a tool to try different passwords until the right one opens up the vault to all our secrets! Hashes can also be insecure due to rainbow tables or hash collisions.

We should be aware of what hash algorithms are good to use and which ones are no longer perceived as secure. Insecure hash isn’t an attack but is a symptom of a larger attack. Many legacy systems still use MD5 as a hash function to store passwords. In this lesson, we’ll see why that is a bad practice.

During this lesson, we will learn what an insecure hash is and why exactly it is considered insecure. We’ll look at how an attacker can use a hash lookup table against our hashes to discover sensitive data. After that, we’ll learn how to create a secure hash and fix our vulnerability.

Congratulations on the new job! You are working at Saturn Bank as a developer. In your first week, you are reviewing some of the code and you notice that during registration, the hash function is using MD5 to hash the user's password before it gets stored in the database.

Congratulations on the new job! You are working at Saturn Bank as a developer. In your first week, you are reviewing some of the code and you notice that during registration, the hash function is using MD5 to hash the user's password before it gets stored in the database.

Congratulations on the new job! You are working at Saturn Bank as a developer. In your first week, you are reviewing some of the code and you notice that during registration, the hash function is using MD5 to hash the user's password before it gets stored in the database.

Congratulations on the new job! You are working at Saturn Bank as a developer. In your first week, you are reviewing some of the code and you notice that during registration, the hash function is using MD5 to hash the user's password before it gets stored in the database.

Congratulations on the new job! You are working at Saturn Bank as a developer. In your first week, you are reviewing some of the code and you notice that during registration, the hash function is using MD5 to hash the user's password before it gets stored in the database.

Congratulations on the new job! You are working at Saturn Bank as a developer. In your first week, you are reviewing some of the code and you notice that during registration, the hash function is using MD5 to hash the user's password before it gets stored in the database.

Congratulations on the new job! You are working at Saturn Bank as a developer. In your first week, you are reviewing some of the code and you notice that during registration, the hash function is using MD5 to hash the user's password before it gets stored in the database.

You know MD5 is insecure and you bring this up to your boss. Your boss, who used to be in your role, thinks it’s not a big deal because a hash can’t be reversed. He claims there is no way an attacker can figure out someone's password by looking at the hash. He’s so confident that he gives you the hash of his password! The hash is 2ac9cb7dc02b3c0083eb70898e549b63

But a hash can be compared to known hashes. This might take a lot of effort to brute force some hashes, but maybe you just need to look at the most popular passwords and hash those.

In this tutorial, we’re going to pretend to be an attacker who just received a hash of someone's password. We are then going to try and discover what this password really is!

An MD5 hash can be brute forced in a matter of seconds. Normally, your boss won’t hand over his hash but an attacker can access these if they break into a database (that’s a different, scary problem).

Hashing passwords is the correct way to handle passwords, but it must be done using a secure hash function. Outdated hash functions such as MD5, SHA-1 or some others, should be avoided.

In C++, you can import the OpenSSL library to handle all of your cryptography needs. This includes a function to securely hash a password.

Just like the code example above, you still want to use the MessageDigest class. However, when calling the getInstance method, we want to pass in a secure hashing algorthm such as SHA-256.

In Go, you can import the bcrypt library to handle all of your cryptography needs. This includes a function to securely hash a password.

In PHP, there is a built in function called password_hash() that will handle passwords and hashes correctly.

In C#, you can add the bcrypt package to handle all of your cryptography needs. This includes a function that will securely hash a password.

With Python, there is a library called hashlib that allows you to use Python’s implementation of Password-Based Key Derivative Function 2(PBKDF2).

There are many Javascript libraries available that handle cryptography including Crypto-JS and bcrypt. However, in NodeJS, there is a built in library called crypto.

There are multiple steps that need to be taken to mitigate this vulnerability. First, we need to use a stronger hash function. MD5 is not secure and it hasn’t been recommended for years! But as you can see, a secure hash might not be enough. If your company decides to use a really strong hash function but a user still uses a weak password (such as Password1), the hash may still be found in a hash lookup table.

We need to use the strong hash function but we also need to implement strong password policies. On top of that, we can salt a hash to make it even more secure.

A salt is a random string that gets attached to a plaintext password before it gets hashed. As we saw above, a hash cannot be reversed but it can be compared with existing generated hash outputs. If a user is using a weak password, that password may have been hashed and stored somewhere for potential hackers to compare against. By adding a salt to the password, the hash output is no longer predictable. This is because it is increasing the uniqueness of the password, thus, the uniqueness of the hash itself.

The Python hashlib library allows you to hash your passwords securely and apply a salt. Keep in mind, when you generate the salt, you need to keep this stored as well. Typically, this is stored in the database with the generated hash.

In C#, you can add the popular bcrypt package which will allow you to securely hash a password. The HashPassword function will automatically add a salt.

PHP has a built in function that will hash a password securely. By using PASSWORD_DEFAULT, that will automatically use bcrypt as well as implement a salt. This is a secure way to store passwords.

As previously mentioned, Java has a built in class called MessageDigest. There are plenty of algorithms to choose from, just be sure to use a secure one.

bcrypt is an NPM module that can be imported to solve many of your cryptographic needs!

In Go, you need to add the bcrypt package (go get golang.org/x/crypto/bcrypt). Using that package, you can use the GenerateFromPassword function will be hash and salt your password.

In C++, you need to add the OpenSSL library (#include <openssl/sha.h>).

• Storing passwords is crucial to any application. Learn more about the best practices here
• Here are some other great tips on how to deal with passwords
• NIST provides these guidelines for US federal use of hash functions
• bcrypt is available across many languages, but here is some additional information on it for NodeJS
• Of course, XKCD has a comic about passwords!