Passwords & hash functions (Simply Explained)

Simply Explained

3 Apr 201807:28

Summary

TLDRThis video explains how companies protect your passwords from hackers, focusing on three primary methods: plain text, encryption, and hashing. While plain text storage is the most dangerous, encryption adds a layer of security but remains vulnerable if the encryption key is stolen. Hashing, especially with the use of salts and slow hash functions like bcrypt, scrypt, and argon2, offers strong protection. The video also highlights multi-layer security practices, such as those used by Dropbox, which combine hashing, salting, and encryption for enhanced defense. The key takeaway is that even if an account is compromised, hackers might not get access to your actual password due to these protective measures.

Takeaways

😀 Storing passwords in plain text is highly insecure, as hackers can easily access them if the system is breached.
😀 Encryption helps protect passwords, but it still carries risks, as attackers could steal the encryption key and decrypt the passwords.
😀 Hashing functions provide one-way encryption that makes it impossible to reverse back to the original password, enhancing security.
😀 Hash functions can be vulnerable to brute-force attacks, especially when they are optimized for speed.
😀 Rainbow tables, precomputed hash lists, can accelerate brute-force attacks by quickly matching common passwords.
😀 When users share the same password, their hashes will be identical, making it easier for attackers to target multiple accounts at once.
😀 Adding a salt to hashed passwords ensures uniqueness, even for identical passwords, making it harder for attackers to crack multiple accounts at once.
😀 Brute-force attacks can still be slowed down, but not fully prevented, by using salted hashes combined with slow hash functions.
😀 Algorithms like bcrypt, scrypt, and argon2 are designed to slow down hash calculations, making them resistant to brute-force attacks.
😀 Multi-layered password protection, as used by companies like Dropbox, combines hashing, salting, encryption, and cost parameters to strengthen security.
😀 Even if a system is breached, well-secured passwords may still remain safe due to the complex methods companies use to protect them.

Q & A

What are the three main methods companies use to store passwords?
-The three main methods companies use to store passwords are plain text, encryption, and hashing. Plain text is the least secure, encryption adds a layer of protection, and hashing offers the most secure method.
Why is storing passwords in plain text considered dangerous?
-Storing passwords in plain text is dangerous because if a hacker breaches the database, they gain direct access to all users' passwords, which can lead to further compromises, especially if users reuse passwords across multiple sites.
What is encryption and why is it not ideal for password storage?
-Encryption involves converting passwords into a scrambled format using a key. While it prevents hackers from reading the passwords directly, it is still vulnerable because if the encryption key is stolen, the passwords can be decrypted.
How does a hash function differ from encryption?
-A hash function is a one-way process that transforms a password into a fixed-length string. Unlike encryption, which can be reversed, a hash cannot be turned back into the original password, making it more secure for password storage.
What are the weaknesses of hash functions in password storage?
-Hash functions can be vulnerable to brute-force attacks, where attackers try every possible password to find a match. They can also be inefficient when multiple users have the same password, as their hashes will be identical.
What is a 'salt' and how does it improve password security?
-A salt is random data added to a password before hashing. It ensures that even if two users have the same password, their hashes will be unique, preventing attackers from cracking multiple passwords at once.
How do modern brute-force attacks work against hashed passwords?
-Modern brute-force attacks involve using powerful hardware, like GPUs, to calculate millions of hashes per second, increasing the likelihood of cracking hashed passwords. Attackers can also use rainbow tables, which are precomputed lists of hashes for commonly used passwords.
What are slow hash functions, and how do they help protect passwords?
-Slow hash functions, like bcrypt, scrypt, and Argon2, are designed to take longer to compute. This slowness makes it more difficult for attackers to use brute-force techniques because it increases the time required to test each password combination.
What is the 'cost' parameter in slow hash functions?
-The 'cost' parameter in slow hash functions defines how many rounds the algorithm performs to process a password. Increasing the cost makes the function slower, which helps defend against brute-force attacks by requiring more computing power and time.
How does Dropbox use multi-layer security to protect user passwords?
-Dropbox uses a multi-layer approach to protect passwords by first hashing the password with a basic hash function, then applying bcrypt with a salt and cost factor for extra security, and finally encrypting the resulting hash with AES encryption, making it harder for attackers to compromise the password.