Question

You are working as a Security Engineer in ABX Company Pvt. Ltd. Suddenly, intruder has got access to their database and used them to impersonate users to get some documents. Fortunately, attack was identified and the stopped by your team. Now, your manager asked you to find a secure way to store password securely and others could not able to reverse it or use it for login. What will be your solution? Would you use hashing? If you use hashing please explain the steps.

Answer 1

In general, from a broad perspective, and an overall insight into the security of storing passwords, by all means, encryption can and should be used to store passwords and other login credentials, files, documents, documents, etc. Encryption mechanism (using an irreversible cryptographic function), hash function, or other mechanisms should be deployed on data that is at rest, in transit, and when it is being processed. Passwords must not be stored in plain text in a file.

Yes, I would recommend the company to use hashing. To securely and easily store passwords so others cannot reverse it or use it for login a one-way cryptographic hash function must be used. It uses a one-way mathematical encryption algorithm. The attacker or the hacker will not be able to reverse that particular hash back into the original password. It is not possible to reverse the encryption in this technique. Technically, it uses hashing functions for storing passwords.

The plain-text method should never be used for storing users' passwords as the method is not secure, as it is not encrypted. Also, just using only simple encryption should also not be an option. Passwords must be hashed. Hashing passwords is a one-way achieving enhanced security. The hashing mechanism makes the storage of passwords secure and easier. Hashing stores a password transforming it into data that simply cannot be converted back to the original password. Along with hashing, a salting mechanism should also be used. Hashing chops a given data, in this case, a password into small pieces so it appears to be a confusing mess. Hashing technically maps any size data to a bit string of a size that is fixed. Data once hashed cannot be unhashed, practically.

Steps involved in Hashing, in general:
* Plain text is taken.
* Plain text is fed as input to the hash function.
* The outcome is the hashed text that gets generated by the hash function.

Hashing algorithms such as MD5 or Secure Hash Algorithms (SHA) such as SHA-1 and the SHA-2 family that includes the SHA-256 algorithm are used. The SHA-256 algorithm is used as the underlying cryptographic hash function.

Ideally, secure and very strong irreversible hash functions such as sha256, sha512, or sha3 should be used. SHA512 should be used along with the salt, which acts as a pollutant to the password (message or raw data), producing two different hashes for the same data. The salt is unique for each user. The salt is composed of a random sequence. It increases the password's uniqueness. It increases the chance a hash has never been used. All passwords different or some of the same, regardless, they all should have different hashes.

Below are the steps in hashing a password:
* A password is taken that is typed in by a user.
* Hashing function used generates a unique salt.
* The hashing function adds this salt to the password.
* The hashing function generates a hash from the combination of password and salt i.e., password + salt.
* The generated hash and the generated salt both, are sent to the database.