Friday, May 25, 2012

Password Storage with Salted Hashes


Password storage is a hugely important issue for any application that makes use of passwords as an authentication mechanism.  One of the primary rules of password storage is that passwords should never be stored in plain text, but should instead be stored in a hashed form.  Hashes are one way cryptographic functions that provide a unique output for every input, and, as such, as long as the user always types in the correct password, the hash of the password should always result in the same value.  Any difference in the supplied password will result in a different hash value.  Thus as long as the hash of the typed in password matches the stored hash value, it can be concluded that the proper password was entered and the user can be given the appropriate access to the system.  The one way nature of hash functions works to improve security, because theoretically it should not be possible to determine the password value used to create the hash (e.g. without resorting to techniques like brute forcing, rainbow tables, etc). 

The security of stored passwords can be even further improved by using a strong hash function such as SHA-512 over older hash functions like MD-5 or SHA-1.  Moreover, salting hashes can provide a further means improving the security of stored passwords, as salts can work to nullify the usefulness of rainbow table based attacks.  A salt is a set of random bits that is also provided as input to the hash function.  Ideally each user of your application should have a unique salt applied to his password hash function.  In Perl, this is actually quite easy to achieve with the Crypt::Salted Hash module (http://search.cpan.org/~esskar/Crypt-SaltedHash-0.06/lib/Crypt/SaltedHash.pm).  Let’s consider the following snippet of Perl code which uses the module to create the salted SHA-512 hash of the supplied password.  

#!usr/bin/perl

use Crypt::SaltedHash;
use strict;
use warnings;

my $password='password';

#creating the salted hash
my $crypt=Crypt::SaltedHash->new(algorithm=>'SHA-512');
$crypt->add($password);
my $shash=$crypt->generate();
my $salt=$crypt->salt_hex();

print "Salted Hash= $shash\n";
print "Salt= $salt\n";

 
The module automatically generates a random salt value when it generates the hash, and this can be verified by running the same code multiple times and seeing the different salts and salted hash values generated. 

The same module can also be used to verify that the proper password was entered, by comparing the supplied password with the stored salted hash as seen below.  If the password is found to be the same as the one used to create the salted hash, the validate method will return a value of “1”.

#verifying the salted hash
my $crypt2=Crypt::SaltedHash->new(algorithm=>'SHA-512');
my $verified=$crypt2->validate($shash, $password);
if($verified==1){
    print "This is the correct password\n\n";
}
else{print "This is the wrong password\n\n";}
 
To show what would happen if an incorrect password was supplied, consider the following code snippet.  Note how the “This is the wrong password” message is printed.  

#showing what would happen if the password was wrong
$password='passw0rd';
my $verified=$crypt2->validate($shash, $password);
print "$verified\n";
if($verified==1){
    print "This is the correct password\n\n";
}
else{print "This is the wrong password\n\n";}

Kobo has over 2 million ebooks to choose from!

12 comments:

szabgab said...

Where do you get the $shash from for the ->verify call?

cfrenz said...

If you are looking to just test the sample code, it will run if you paste all 3 snippets into one script. In that case $shash will come from the first code snippet. In a more real life scenario, $shash would likely be retrieved from the DB you use to maintain credentials.

Malcom Marshall said...
This comment has been removed by the author.
vivekvedha said...

Nice informative it is very valuable and its is very useful for all of us.
https://www.acte.in/reviews-complaints-testimonials
https://www.acte.in/velachery-reviews
https://www.acte.in/tambaram-reviews
https://www.acte.in/anna-nagar-reviews
https://www.acte.in/porur-reviews
https://www.acte.in/omr-reviews
https://www.acte.in/blog/acte-student-reviews

Joyal said...

Thanks for one marvelous posting! I enjoyed reading it; you are a great author. I will make sure to bookmark your blog and may come back someday. I want to encourage that you continue your great posts.
oracle training in chennai

oracle training institute in chennai

oracle training in bangalore

oracle training in hyderabad

oracle training

oracle online training

hadoop training in chennai

hadoop training in bangalore

Aishu said...

This is really good post here. Thanks for such valuable information. Quality content is what always gets the visitors coming.
IELTS Coaching in chennai

German Classes in Chennai

GRE Coaching Classes in Chennai

TOEFL Coaching in Chennai

spoken english classes in chennai | Communication training



sathya said...

Nice post. Thanks for sharing! I want people to know just how good this information is in your article. It’s interesting content and Great work. nice to read.
selenium training in chennai

selenium training in chennai

selenium online training in chennai

selenium training in bangalore

selenium training in hyderabad

selenium training in coimbatore

selenium online training

selenium training

rocky said...

Nice Post! Thank you for sharing very good post, it was so Nice to read and useful to improve my knowledge as updated one, keep blogging.
python training in chennai

python course in chennai

python online training in chennai

python training in bangalore

python training in hyderabad

python online training

python training

python flask training

python flask online training

python training in coimbatore

ramesh said...

I simply want to mention I am just all new to blogging and site-building and truly loved you’re web page. Almost certainly I’m planning to bookmark your site . You really have outstanding stories. Many thanks for revealing your webpage.…
Azure Training in Chennai

Azure Training in Bangalore

Azure Training in Hyderabad

Azure Training in Pune

Azure Training | microsoft azure certification | Azure Online Training Course

Azure Online Training

dhinesh said...

I enjoyed the blog to the core and I hope you come up with even much more interesting topic and also check this out

Full Stack Training in Chennai

Full Stack Course Chennai
Full Stack Training in Bangalore

Full Stack Course in Bangalore

Full Stack Training in Hyderabad

Full Stack Course in Hyderabad

Full Stack Training

Full Stack Course

Full Stack Online Training

Full Stack Online Course

vijay said...

Just admiring your work and wondering how you managed this blog so well. It’s so remarkable that I can't afford to not go through this valuable information whenever I surf the internet.
Salesforce Training in Chennai

Salesforce Online Training in Chennai

Salesforce Training in Bangalore

Salesforce Training in Hyderabad

Salesforce training in ameerpet

Salesforce Training in Pune

Salesforce Online Training

Salesforce Training

antony789 said...

Superb blog post! And this blog clearly explain concept and the concepets are very useful information. I Thanks for sharing this wonderful content. Keep it up!

Software Testing Training in Chennai

Software Testing Online Training in Chennai

Software Testing Courses in Chennai

Software Testing Training in Bangalore

Software Testing Training in Hyderabad

Software Testing Training in Coimbatore

Software Testing Training

Software Testing Online Training