From SecurePHPWiki
Jump to: navigation, search


Passwords should always be stored encrypted in a database. In the event of a cracker gaining access to your database, you want to either prolong the cracking of the password hashes, or prevent it altogether. This section will mention methods to prevent your hashes from being cracked, password techniques, and methods that crackers use to break a hash.

--DJ.Bri.T 21:38, 5 April 2006 (EDT)

Cracker Techniques

There are three common methods of cracking password hashes once a cracker has accessed your hash.

Dictionary Attack

The simplest way, yet least reliable, is a dictionary attack, which involves a program running through a list of words, hashing that word, and comparing the generated hash and the stolen hash to see if there is a match.

Rainbow Table Attack

The next step that a cracker would take is to submit the hash to a Rainbow Table. Rainbow tables are pre-generated lists of strings and their corresponding hashes. The idea behind a rainbow table is that the speed at which the password is cracked is drastically reduced, but the space that a rainbow table takes up is very large. This has a fairly good success rate for passwords under 8 characters.

Brute-Force Attack

The final step, if the above two steps didn't work, is to brute-force the password. Meaning, every possible combination of letters and numbers (depending on the selected character set) is tried, hashed, and checked until a match is found. This is very inefficient, yet will have a 100% success rate given enough time with the proper character set.

Password Techniques

There are a number of techniques that can be used to create a strong password.

  1. Never use a dictionary word, or a slightly modified dictionary word. One of the first kinds of attacks a cracker will use is a Dictionary attack, where the program will run through a dictionary and try all of the words. If one of these words is your password, the hash could be cracked within minutes.
  2. Use a combination of uppercase letters, lowercase letters, numbers, and (when allowed) symbols. Adding one of these elements significantly decreases the chance of your password being cracked, and can mean the difference between minutes, hours, days, or even weeks. If all four of these are used, a successful crack could take over a year.
  3. Use at least an 8 character password. Most sites require a 6-character password. This is not nearly enough. Even using only lowercase letters, an 8 character password could take around a day or two to crack. With all of the above combinations of characters, you can increase that time over one year.

Protecting Your Passwords

Needless to say, passwords should always be encrypted. The most common encryption is MD5, because of it's impossibility to decrypt. There are two common techniques to protecting this hash further than simply hashing the password.

  1. Double-Encrypting - Encrypting the password twice, with either a second algorithm, or the same one, can drastically improve your security. Attempting to crack an MD5 hash twice is extremely hard.
  2. Salting - Salting is defined as adding extra characters to the beginning or end of a password before hashing it to decrease the chance of the password being crackable. By adding extra characters, the password can get to a point where it is nearly impossible to crack.

You can obviously combine these two techniques. If you're extremely anal about security, you can salt the password, hash it in MD5, then salt the hash and MD5 it again. This has the potential to be uncrackable.

Limitations of MD5

Due to MD5 being a constant number of characters, MD5 has its limitations. MD5 is a 32-character hexadecimal hash. At first glance, this may seem like a pretty secure encryption. But let’s look further. Because of the limitation of 32 characters, we are limited to 16^32 characters =3.40282367 x 10E38 combinations. A massive number. But let’s take all 20 character strings. Not so big a number. You have the possibility of 26 Uppercase, 26 lowercase, 10 numbers, space, period, hyphen, underscore, and comma. 67 characters total. And this isn’t even all the characters in use: this is only the common ones. Therefore: 67^20 = 3.32273766 × 10E36 combinations. Look at how close these two numbers are. And we’re only considering 20 characters strings, nothing else. Looking at it this way, if you put in a large salt to your string to encrypt, there’s a good possibility that this hash is the same for a string that is substantially smaller, say, 5 or 6 characters. Therefore, cracking this encryption would take a lot less time.

An ideal way of encrypting your password to prevent collisions is to MD5 a salted password, then append it to another hash, such as a SHA1. Adding a salt to this would be the icing on the cake, making your passwords much more secure. The odds of a collision happening in two different encryptions is so close to zero it can safely be ignored.