SlideShare una empresa de Scribd logo

An Introduction to Hashing and Salting

Descargar como ODP, PDF
Rahul Singh
Rahul Singh

An Introduction to Hashing and Salting - Secure way of Storing User Credentials

Tecnología
1 de 18
Secure way of Storing User Credentials An Introduction to Hashing and Salting
Why do I need a password anyway?
Why do I need a password anyway? Personal Computers If someone else gains access to your account, they may cause you a great deal of trouble ● Deleting your files ● Using it to hack other systems, ● Forging e-mail purporting to come from you
Why do I need a password anyway? (Web Scenario) ● Identifying Users ● Authenticating users for specific areas ● Securing user specific data from other users.
Password on the web - The Problem ● If you have something that is accessible on the web, it can be retrieved.
Lets try to hack a site for Passwords ● SQL Injection Demo
What should be done? ● Storing passwords in such a way that even if users somehow get hold of password hashes they should not be able to extract the passwords out of them.
Storing Passwords as Plain Text ● ● ● There is no security at all Anyone who has access to the database can easily get to know the password of all the users. Even a small part of application that is prone to Sql injection can reveal the password of all the users.
Storing Encrypted Passwords ● The good This approach is better than storing the passwords in plain text. ● The Bad If someone knows the encryption algorithm and the secret key that was used for encryption then he could decrypt the passwords easily
What is Hashing ● ● Hashing is the process of generating a number or a unique string for a larger string message. The hash for every string message should be unique and there is no way the original message can be reproduced from its hash value.
Storing Password Hashes – The Good ● ● ● So the even better approach would be to store the password hashes in the table. This way there is no way to regenerate the password from the hash. Whenever the user tries to log in, we will generate the hash for the password using the same hashing algorithm and then compare it with the hash stored in the database to check whether the password is correct or not.
Storing Password Hashes – The Bad The problem here is that the user1 and user4 choose the same password and thus their generated password hash is also same.
Could we not device a technique which will store provide us all the benefits of hashing and will also remove the limitations associated with it?
Salting and Hashing of Passwords ● ● Salting is a technique in which we add a random string to the user entered password and then hash the resulting string. Even if two people have chosen the same password, the salt for them will be different.
Lets visualize it Even though the user1 and user4 has chosen same password their salt value is different and thus the resultant hash value is also different.
User Creation Process 1. User enters a password. 2. A random salt value is generated for the user. 3. The salt value is added to the password and a final string is generated. 4. The hash for the final string is calculated. 5. The hash and the salt is stored in the database for this user.
User tries to log in 1. User enters his user id. 2. The user is used to retrieve the users password hash and salt stored in the database. 3. The user enters his password. 4. The retrieved salt is added to this password and a final string is generated. 5. The hash for the final string is calculated. 6. This calculated hash is compared with the hash value retrieved from the database. 7. If it matches the password is correct otherwise not.
References ● ● http://www.codeproject.com/Articles/608860/A-Beginners-Tutor Self Pace training kit (MCTS 70-516) – Chapter 8, Lesson 3.

Recomendados

Password hashing, salting, bycrpt
Password hashing, salting, bycrptPassword hashing, salting, bycrpt
Password hashing, salting, bycrptAhmad karawash
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondJim Fenton
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 

Recomendados

Password hashing, salting, bycrpt
Password hashing, salting, bycrptPassword hashing, salting, bycrpt
Password hashing, salting, bycrptAhmad karawash
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Authentication vs authorization
Authentication vs authorizationAuthentication vs authorization
Authentication vs authorizationFrank Victory
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondJim Fenton
 
Secure Your Encryption with HSM
Secure Your Encryption with HSMSecure Your Encryption with HSM
Secure Your Encryption with HSMNarudom Roongsiriwong, CISSP
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force AttackAhmad karawash
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
Password Cracking
Password CrackingPassword Cracking
Password CrackingHajer alriyami
 
Kerberos
KerberosKerberos
KerberosSutanu Paul
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
Authentication
AuthenticationAuthentication
Authenticationprimeteacher32
 
Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES) Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES) Hardik Manocha
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniquesIGZ Software house
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWTPrashant Walke
 
Message queues
Message queuesMessage queues
Message queuesAhmad karawash
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashingfangjiafu
 

Más contenido relacionado

La actualidad más candente

Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)securityEnrico Zimuel
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerNaveen Kumar
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and SpywaresAnkit Mistry
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute forcevishalgohel12195
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES) Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES) Hardik Manocha
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentationMahmoud Ibra
 
Nessus Software
Nessus SoftwareNessus Software
Nessus SoftwareMegha Sahu
 

La actualidad más candente (20)

Brute force attack
Brute force attackBrute force attack
Brute force attack
 
Password (in)security
Password (in)securityPassword (in)security
Password (in)security
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management CNIT 129S: Ch 7: Attacking Session Management
CNIT 129S: Ch 7: Attacking Session Management
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force Attack
 
Keyloggers and Spywares
Keyloggers and SpywaresKeyloggers and Spywares
Keyloggers and Spywares
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Kerberos
KerberosKerberos
Kerberos
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Authentication
AuthenticationAuthentication
Authentication
 
Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES) Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES)
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWT
 

Destacado

Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashingfangjiafu
 
Disclosing password hashing policies
Disclosing password hashing policiesDisclosing password hashing policies
Disclosing password hashing policiesMichal Špaček
 
Food preservation methodology report
Food preservation methodology reportFood preservation methodology report
Food preservation methodology reportAlvino rock
 
Meat Preservation--- Salting
Meat Preservation--- SaltingMeat Preservation--- Salting
Meat Preservation--- SaltingNathalie Dausin
 
Fish cookery
Fish cookeryFish cookery
Fish cookeryharmanihm
 

Destacado (20)

Message queues
Message queuesMessage queues
Message queues
 
Proper passwordhashing
Proper passwordhashingProper passwordhashing
Proper passwordhashing
 
Hashing
HashingHashing
Hashing
 
Disclosing password hashing policies
Disclosing password hashing policiesDisclosing password hashing policies
Disclosing password hashing policies
 
1371 silver[1]
1371 silver[1]1371 silver[1]
1371 silver[1]
 
Food preservation methodology report
Food preservation methodology reportFood preservation methodology report
Food preservation methodology report
 
Meat Preservation--- Salting
Meat Preservation--- SaltingMeat Preservation--- Salting
Meat Preservation--- Salting
 
NS2 3.4 Fronts and Storms
NS2 3.4 Fronts and StormsNS2 3.4 Fronts and Storms
NS2 3.4 Fronts and Storms
 
Hashing
HashingHashing
Hashing
 
Skinless longganisa making
Skinless longganisa makingSkinless longganisa making
Skinless longganisa making
 
John Dewey's Philosophy
John Dewey's PhilosophyJohn Dewey's Philosophy
John Dewey's Philosophy
 
Ch17 Hashing
Ch17 HashingCh17 Hashing
Ch17 Hashing
 
Fish cookery
Fish cookeryFish cookery
Fish cookery
 
Key concepts of Piaget's Cognitive Development Theory
Key concepts of Piaget's Cognitive Development TheoryKey concepts of Piaget's Cognitive Development Theory
Key concepts of Piaget's Cognitive Development Theory
 
Ch14 fish and shelfish
Ch14 fish and shelfishCh14 fish and shelfish
Ch14 fish and shelfish
 
Butter making
Butter makingButter making
Butter making
 
Fish cookery
Fish cookeryFish cookery
Fish cookery
 
Butter
ButterButter
Butter
 
Fish cuts
Fish cutsFish cuts
Fish cuts
 
Market form of fish
Market form of fishMarket form of fish
Market form of fish
 

Similar a An Introduction to Hashing and Salting

Password best practices and the last pass hack
Password best practices and the last pass hackPassword best practices and the last pass hack
Password best practices and the last pass hackKevin OBrien
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2Iftach Ian Amit
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET Journal
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based SecurityRare Input
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and crackingNipun Joshi
 
A Survey of Password Attacks and Safe Hashing Algorithms
A Survey of Password Attacks and Safe Hashing AlgorithmsA Survey of Password Attacks and Safe Hashing Algorithms
A Survey of Password Attacks and Safe Hashing AlgorithmsIRJET Journal
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon
 
Password Storage Explained
Password Storage ExplainedPassword Storage Explained
Password Storage Explainedjeetendra mandal
 
Storing passwords-honey words
Storing passwords-honey wordsStoring passwords-honey words
Storing passwords-honey wordskandulasindhu
 
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET Journal
 
Honeywords - BSides London 2014
Honeywords - BSides London 2014Honeywords - BSides London 2014
Honeywords - BSides London 2014Gavin Holt
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To UsCharles Southerland
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Fego Ogwara
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCloudIDSummit
 
Honeywords for Password Security and Management
Honeywords for Password Security and ManagementHoneywords for Password Security and Management
Honeywords for Password Security and ManagementIRJET Journal
 

Similar a An Introduction to Hashing and Salting (20)

Password best practices and the last pass hack
Password best practices and the last pass hackPassword best practices and the last pass hack
Password best practices and the last pass hack
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
 
IRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJSIRJET- Login System for Web: Session Management using BCRYPTJS
IRJET- Login System for Web: Session Management using BCRYPTJS
 
Improving Password Based Security
Improving Password Based SecurityImproving Password Based Security
Improving Password Based Security
 
Passwords
PasswordsPasswords
Passwords
 
Techniques for password hashing and cracking
Techniques for password hashing and crackingTechniques for password hashing and cracking
Techniques for password hashing and cracking
 
A Survey of Password Attacks and Safe Hashing Algorithms
A Survey of Password Attacks and Safe Hashing AlgorithmsA Survey of Password Attacks and Safe Hashing Algorithms
A Survey of Password Attacks and Safe Hashing Algorithms
 
Honey words
Honey wordsHoney words
Honey words
 
Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011Kieon secure passwords theory and practice 2011
Kieon secure passwords theory and practice 2011
 
Password Storage Explained
Password Storage ExplainedPassword Storage Explained
Password Storage Explained
 
Storing passwords-honey words
Storing passwords-honey wordsStoring passwords-honey words
Storing passwords-honey words
 
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
IRJET- Security Enhancements by Achieving Flatness in Honeyword for Web u...
 
P@ssw0rds
P@ssw0rdsP@ssw0rds
P@ssw0rds
 
Honeywords - BSides London 2014
Honeywords - BSides London 2014Honeywords - BSides London 2014
Honeywords - BSides London 2014
 
All Your Password Are Belong To Us
All Your Password Are Belong To UsAll Your Password Are Belong To Us
All Your Password Are Belong To Us
 
Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...Securing Database Passwords Using a Combination of hashing and Salting Techni...
Securing Database Passwords Using a Combination of hashing and Salting Techni...
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
CIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You EatCIS14: Authentication: Who are You? You are What You Eat
CIS14: Authentication: Who are You? You are What You Eat
 
Honeywords for Password Security and Management
Honeywords for Password Security and ManagementHoneywords for Password Security and Management
Honeywords for Password Security and Management
 
Password Attack
Password AttackPassword Attack
Password Attack
 

Último

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 

An Introduction to Hashing and Salting

  • 1. Secure way of Storing User Credentials An Introduction to Hashing and Salting
  • 2. Why do I need a password anyway?
  • 3. Why do I need a password anyway? Personal Computers If someone else gains access to your account, they may cause you a great deal of trouble ● Deleting your files ● Using it to hack other systems, ● Forging e-mail purporting to come from you
  • 4. Why do I need a password anyway? (Web Scenario) ● Identifying Users ● Authenticating users for specific areas ● Securing user specific data from other users.
  • 5. Password on the web - The Problem ● If you have something that is accessible on the web, it can be retrieved.
  • 6. Lets try to hack a site for Passwords ● SQL Injection Demo
  • 7. What should be done? ● Storing passwords in such a way that even if users somehow get hold of password hashes they should not be able to extract the passwords out of them.
  • 8. Storing Passwords as Plain Text ● ● ● There is no security at all Anyone who has access to the database can easily get to know the password of all the users. Even a small part of application that is prone to Sql injection can reveal the password of all the users.
  • 9. Storing Encrypted Passwords ● The good This approach is better than storing the passwords in plain text. ● The Bad If someone knows the encryption algorithm and the secret key that was used for encryption then he could decrypt the passwords easily
  • 10. What is Hashing ● ● Hashing is the process of generating a number or a unique string for a larger string message. The hash for every string message should be unique and there is no way the original message can be reproduced from its hash value.
  • 11. Storing Password Hashes – The Good ● ● ● So the even better approach would be to store the password hashes in the table. This way there is no way to regenerate the password from the hash. Whenever the user tries to log in, we will generate the hash for the password using the same hashing algorithm and then compare it with the hash stored in the database to check whether the password is correct or not.
  • 12. Storing Password Hashes – The Bad The problem here is that the user1 and user4 choose the same password and thus their generated password hash is also same.
  • 13. Could we not device a technique which will store provide us all the benefits of hashing and will also remove the limitations associated with it?
  • 14. Salting and Hashing of Passwords ● ● Salting is a technique in which we add a random string to the user entered password and then hash the resulting string. Even if two people have chosen the same password, the salt for them will be different.
  • 15. Lets visualize it Even though the user1 and user4 has chosen same password their salt value is different and thus the resultant hash value is also different.
  • 16. User Creation Process 1. User enters a password. 2. A random salt value is generated for the user. 3. The salt value is added to the password and a final string is generated. 4. The hash for the final string is calculated. 5. The hash and the salt is stored in the database for this user.
  • 17. User tries to log in 1. User enters his user id. 2. The user is used to retrieve the users password hash and salt stored in the database. 3. The user enters his password. 4. The retrieved salt is added to this password and a final string is generated. 5. The hash for the final string is calculated. 6. This calculated hash is compared with the hash value retrieved from the database. 7. If it matches the password is correct otherwise not.