Encrypting Passwords for the Web

SecurityASP.NET, PHP, and most web platforms offer a variety of techniques for data encryption, ranging from simple hashing to fully reversible encryption algorithms. Developers will need to choose the algorithm that offers the most security possible, while sacrificing the least amount of capability.

The strongest encryption algorithms for passwords are one-way algorithms. These encrypt the data in only one direction, and do not allow the data to be decrypted afterward. Although they might seem at first illogical, one-way encryption is ideal for storing passwords. They make sure that even if a hacker compromises the database and downloads all the passwords, there is no way they can find the original passwords unless they perform a brute-force operation. One-way algorithms are generally called “hashes”, and the most popular formats are the MD5 and SHA-1 hashes. Each hash takes content of any length, and converts it into a short alpha-numeric string. Thus, there is no one-to-one mapping between original content and the encrypted data. In fact, many original strings might match the encrypted data, however it would take a very long amount of time to find that string using a search operation.

When using a one-way hash, it is important to implement at least one, and if possible four, additional techniques to ensure data security. The first and most important is a salt. A salt is a long piece of text that is added to the original password in order to make it even more difficult to decrypt. The salt should be different for every data point, so ideally the username or ID should be included in the salt as well. This way, if the database is ever compromised, rainbow tables would be invalidated, and the hacker would need to run the very long attack sequence for every single password in the database. In addition, if they did find the password for an individual user, they would not be able to insert that same password into that of another user.

The other password security techniques are at the application-level, and consist of locking-out the user after a certain number of incorrect password attempts, requiring the user to change their password every few months, and maintaining password complexity requirements. They techniques will help prevent public-facing brute force techniques, and make sure that even if a password is compromised, it will be invalid in a short amount of time. Thus, the window available for a brute-force attack is even shorter, and should prevent all but the most sophisticated attackers.

When developing authentication software, SHA-1 algorithms should be used for most newer implementations, as MD5 has been theoretically compromised. In addition, the plain text password should never be transmitted over the web, and a secure tunnel such as SSL/HTTPS should be used for authentication.

An effective security implementation will help secure a web application against hackers, spies, and thieves, and make sure that the data will achieve the security level necessary based on regulatory requirements and industry guidelines.

Written by Andrew Palczewski

About the Author
Andrew Palczewski is CEO of apHarmony, a Chicago software development company. He holds a Master's degree in Computer Engineering from the University of Illinois at Urbana-Champaign and has over ten years' experience in managing development of software projects.
Google+

RSS Twitter LinkedIn Facebook Email

One thought on “Encrypting Passwords for the Web”

  1. I’ve seen similar retctisrions but still consider the security sufficient ifa) you have some random login number that you write downb) your account gets blocked after 3 tries.If the login number was your account number it could be used for denial of service, so I prefer a random number.Of course someone could still steal your hashed password from the bank and brute-force it which is easier for simple password.But then this is not much easier than installing a trojan, staging a man in the middle attack or sniff your password by other means.

Leave a Reply

Your email address will not be published. Required fields are marked *