Hash value is unique for a sequence of input data. The beauty of one way hash algorithm is that we can easily get the hash value of piece of data but from the hash value its almost impossible to get back the original data. There are no of hash functions available
- SHA-1 - Output = 160 bits
- SHA-256 - Output = 256 bits
- SHA-512 - Output = 512 bits
MD5 (Message Digest algorithm 5) is also widely used hashing algorithm. The output size = 128 bits. SHA is the successor of MD5.
Storing User detail
Lets say your application collects the following parameters while registering new user
- name
- password
SHA1 hash - PHP function - sha1($_POST['password'])
MD5 hash - PHP function -md5($_POST['password'])
User Authentication
When the user logs in, he will provide username and plain text password. Use the same algorithm you have used for calculating password hash at the time of registration and calculate the hash value again. As the HASH value is unique for a set of input characters and hence if the hash value matches, perform the Authentication success logic.
NOTE:: It is not safe to send the plain text user password over HTTP. Attacker can easily access that HTTP packet and extract the password. Always use SSL while sending user credential.
Weaknesses
By adding password hash you have made the hacker's life much more difficult. But its not yet a full proof solution. If somehow the hacker gets access to the database, he will try to crack the hash. Using a high speed CPU, we can generate HASH of n number of strings in one sec. So the hacker will start generating random strings and its hash value. If his random string algorithm is able to generate the same hash output that means the generated random string is the user password.
Follow the steps to fix this security hole
- Generate a random string - RANDOM_STRING
- User has entered "xyz" as the password while registration.
- Append the generated string and then calculate HASH value. So instead of stroning HASH_ALGO($_POST['password']), store HASH_ALGO($_POST['password'].RANDOM_STRING)
- Store the RANDOM_STRING in database.
- Every time user logs in, use the previously used RANDOM_STRING to calculate hash. HASH_ALGO(USER_CREDENTIAL.RANDOM_STRING). Then compare this hash value with the stored hashed password. If it matches perform Authentication success logic + perform some extra steps to confuse the hacker
- At the time of verifying user credentials, you have the plain text password.
- Once verified -
- Generate another random string and compute
HASH_ALGO(USER_CREDENTIAL.NEW_RANDOM_STRING) = XYZ - Update database fields
password_hash and random_string - Thus we have updated the random number and the password hash value but not the actual password. But next time new random number will be used to validate user credential.
- This process will change the user password hash value every time user logs in. This will confuse the hacker. Also this process will make almost all password hash values unique which in turn reduce the database damage.
- Store password hash value.
- Use SSL to transmit plain text password.
- Ask user to change the password after every x number of days.
- Use the random string to make all the password hash values unique which will reduce database damage.
- Use random string algorithm to change database password_hash value every time user logs in. This will confuse the hacker.
1 comment:
useful article.
Post a Comment