However, if you are one of the people who is thinking that MySpace would have been ok if they had just salted the passwords and then used SHA256 to hash them, then sadly you are equally wrong, and I shall explain why.
For an industry that is rooted in technology, information security is disproportionately full of Conventional Wisdom [2] that is misplaced or outright wrong. So why might that be, when there are so many obviously clever people around? I personally think it’s because the knowledge domain has grown to be so enormous that no single person can cover it all. So even the brightest practitioners are left skimming the surface. The result is that there is a tendency to latch onto something and to repeat it as fact, without having understood the detail.
A good example of this is the holy crusade against using hashing algorithms that are perceived to be weak for password storage, such as MD5 and SHA1. Now it is true, they are weaker than recent alternatives like SHA256, so why would I think it is Conventional Wisdom? It’s because when it comes to storing passwords, the choice of hash algorithm is often the least critical factor. Plus, whilst it is better than nothing, just adding a salt isn’t going to make everything ok either.
The crux of the issue is down to the volume of computing power that can be brought to bear on the hashes, once they are obtained. Which today, with the use of GPUs and custom ASICs, is both enormous and also cheap in relative terms. Don’t forget that in this scenario, no-one is exploiting weaknesses in the hash function: it’s a matter of raw performance. The result being that with the appropriate hardware, it is possible to calculate billions of hashes a second, no matter which algorithm is chosen. Which means that any argument that proposes one hash function over another is effectively irrelevant [3].
So if SHA256 and a salt isn’t the solution, what is?
Firstly, it’s worth stating that no approach to encryption or hashing offers absolute security, just a quantifiable probability. So password storage is all about accepting that protecting the hashes isn’t about making it impossible to recover the password, just about making it too time consuming or costly to be practical.
Secondly, it’s also worth stating that the password storage is only half the equation. If the passwords themselves are weak, then it really won’t matter at all how they are stored, as the simplest route to recovering them is to just use a dictionary to guess common passwords.
So what is the answer? It just so happens that the principals of what makes a good approach to storing passwords were established years ago, with the creation of Key Derivation Functions (KDF) [4]. No home brewed solutions required, simply take an off-the-shelf algorithm, plug in the passwords, and store the output for later comparison.
So why is a KDF better than SHA256 and a salt? It’s because the contemporary KDFs are both processor and memory intensive. Which means that they can’t be used to calculate millions of potential password guesses a second, and what’s more, the memory requirements mean they are impractical to run on GPUs and ASICs.
So in summary:
- If you aren’t enforcing strong passwords, it doesn’t really matter how you store them, they’ll still be easy to recover. Garbage-in-garbage-out.
- When it comes to password storage, the hash function isn’t anywhere near as important as the KDF.
- If you are still recommending something home-brewed rather than a KDF for processing passwords prior to storage, then stop.
References
- http://www.dailydot.com/technology/myspace-database-hack-leakedource/
- Conventional Wisdom is a body of ideas that are generally accepted to be true, however they are not necessarily so. https://en.wikipedia.org/wiki/Conventional_wisdom
- http://blog.ircmaxell.com/2011/08/rainbow-table-is-dead.html
- https://en.wikipedia.org/wiki/Key_derivation_function
No comments:
Post a Comment