{"id":4387,"date":"2023-04-11T16:25:16","date_gmt":"2023-04-11T13:25:16","guid":{"rendered":"https:\/\/easycourses.pro\/?p=4387"},"modified":"2025-08-08T08:54:48","modified_gmt":"2025-08-08T05:54:48","slug":"password-hashing-how-to-keep-your-database-secure","status":"publish","type":"post","link":"https:\/\/learnway.shop\/en\/password-hashing-how-to-keep-your-database-secure\/","title":{"rendered":"Password hashing: How to keep your database secure."},"content":{"rendered":"\n

Hash algorithms are one-way functions. They take any string and turn it into a fixed-length fingerprint that cannot be reversed. This means that if your data in your database is compromised, a hacker will not be able to obtain user passwords if they have been well hashed. <\/p>\n\n\n\n

Websites using hashing typically have a workflow like this:<\/p>\n\n\n\n

    \n
  1. The user creates an account.<\/li>\n\n\n\n
  2. Their password is hashed and stored in a database.<\/li>\n\n\n\n
  3. When a user attempts to log in, the hash of their entered password is compared with the hash stored in the database.<\/li>\n\n\n\n
  4. If the hashes match, the user can gain access to the account.<\/li>\n\n\n\n
  5. If not, a generic error message such as “Invalid credentials entered” is sent, so hackers can’t trace the error back to the username or password.<\/li>\n<\/ol>\n\n\n\n
    hash(\"hello\") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824  hash(\"hellu\") = 3937f988aeb57b6fd75b9c71bf17b9658ec97823ba b613df438389b0c896b724  hash(\"danny\") = 668e2b73ac556a2f051304702da290160b29bad3392ddcc72074fefbee80c55a<\/code><\/code><\/pre>\n\n\n\n
    NOTE<\/em><\/strong>. Only secure or cryptographic hash functions (SHA256, SHA512, RipeMD, WHIRLPOOL, etc.) can be used to hash the password.<\/p>\n\n\n\n
    Unfortunately, simply cryptographic hashing of passwords does not provide security.<\/p>\n\n\n\n
    Hack hash<\/h4>\n\n\n\n
    The easiest way to decrypt a hash is to just guess the password, hash the guess, and compare it to the hash of the actual password you’re trying to guess. <\/p>\n\n\n\n
    The selection <\/strong>goes through all possible combinations of characters. While it is possible to eventually 100% crack any given password, this method is difficult to use due to its high computational cost. Some passwords, even those that are quite short in length, can take (literally) thousands of years to crack using brute force.<\/p>\n\n\n\n
    Trying aaa: failed\nTrying aab : failed\nTrying aac: failed\n...\nTrying acb: failed\nTrying acc: success!<\/code><\/pre>\n\n\n\n
    Dictionary attacks<\/strong> use a file containing commonly used words, phrases, or passwords that are likely to be the password in use. There are even databases with 100,000 (or something close) of the most commonly used passwords. The attack hashes these passwords and compares the hash with the crack password. This method is certainly faster than using a brute force attack.<\/p>\n\n\n\n
    Lookup tables<\/strong> can improve cracking performance by pre-calculating hashes so that when it comes time to guess a password, the program doesn’t have to spend time calculating by actually hashing the guesses.<\/p>\n\n\n\n
    In the next section, we’ll look at the “salting” that makes it impossible to 100% use these hacking methods.<\/p>\n\n\n\n
    Salting<\/h4>\n\n\n\n
    The reason lookup tables, dictionary attacks, and brute force attacks can work is because passwords are hashed the same way every time. We can randomize the hash by adding a random string, called a salt, to the passwords BEFORE hashing.<\/p>\n\n\n\n
    hash(\"hello\") = 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824\nhash(\"hello\" + \"jHjdbJShdiodb\") = 6f7f167a978166ee23b32c9531ce5dc23ae8fc26e412045858d938d11470831f<\/code><\/pre>\n\n\n\n
    If the user’s password is qwerty<\/strong>, we will get the following hash: d8578edf8458ce06fbc5bb76a58c5ca4<\/strong>. If an attacker gains access to our database, to guess passwords, he can use ready-made services that already have values that give this hash, or he can guess them himself.<\/p>\n\n\n\n
    To protect against already prepared hash tables with values, you can use a static salt:<\/p>\n\n\n\n
           $password = md5($password . \"MyUniqueSault\");<\/code><\/pre>\n\n\n\n
    Now, with the same password qwerty<\/strong> , we will get a completely different hash bdadb0330124cda0e8499c9cd118f7bd<\/strong>. Ready-made tables will no longer help the attacker; he will have to use brute force. This is where the disadvantage of static salt lies: an attacker will be able to generate his own hash table with a static salt and obtain the values of most passwords from the database. To eliminate this disadvantage, a unique salt is used for each hash:<\/p>\n\n\n\n
     $sault = GenerateRandomString();      <\/code> $password = md5($password . $sault);\n<\/code><\/code><\/pre>\n\n\n\n
    Those. Now, in addition to the login\/password hash, the database will need to store the value of the generated salt for each user. Let’s look at an example: we have two users: user1 and user2. Both use the password qwerty<\/strong>. But the first one generated salt zxcv<\/strong> and the second one asdf<\/strong>. As a result, users with the same password will have different hashes: 1d8f3272b013387bbebcbedb4758586d<\/strong> and a192862aa3bf46dffb57b12bdcc4c199<\/strong>. What this gives: now it will not be possible to generate one hash table to find the value of hex the dynamic salt will have to be generated again.<\/p>\n\n\n\n
    What you should and shouldn’t salt<\/h4>\n\n\n\n
    Not recommended:<\/strong><\/p>\n\n\n\n
      \n
    • Reuse the same salt for each password hash<\/li>\n\n\n\n
    • Use short salts<\/li>\n\n\n\n
    • Use weird double hashes (eg: hash(hash(hash(‘mypass’)))) in salt<\/li>\n<\/ul>\n\n\n\n
      Recommended:<\/strong><\/p>\n\n\n\n
        \n
      • Generating random salts using a cryptographically secure pseudo-random number generator (CSPRNG)<\/li>\n\n\n\n
      • Generate a new random unique salt for EACH password hash<\/li>\n\n\n\n
      • Generate LONG salts<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
        Hash algorithms are one-way functions. They take any string and turn it into a fixed-length fingerprint that cannot be reversed. This means that if your data in your database is compromised, a hacker will not be able to obtain user passwords if they have been well hashed.  Websites using hashing typically have a workflow like <\/p>\n","protected":false},"author":527,"featured_media":4388,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[146,150,109,142,32],"tags":[],"acf":[],"_links":{"self":[{"href":"https:\/\/learnway.shop\/en\/wp-json\/wp\/v2\/posts\/4387"}],"collection":[{"href":"https:\/\/learnway.shop\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/learnway.shop\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/learnway.shop\/en\/wp-json\/wp\/v2\/users\/527"}],"replies":[{"embeddable":true,"href":"https:\/\/learnway.shop\/en\/wp-json\/wp\/v2\/comments?post=4387"}],"version-history":[{"count":3,"href":"https:\/\/learnway.shop\/en\/wp-json\/wp\/v2\/posts\/4387\/revisions"}],"predecessor-version":[{"id":39043,"href":"https:\/\/learnway.shop\/en\/wp-json\/wp\/v2\/posts\/4387\/revisions\/39043"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/learnway.shop\/en\/wp-json\/wp\/v2\/media\/4388"}],"wp:attachment":[{"href":"https:\/\/learnway.shop\/en\/wp-json\/wp\/v2\/media?parent=4387"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/learnway.shop\/en\/wp-json\/wp\/v2\/categories?post=4387"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/learnway.shop\/en\/wp-json\/wp\/v2\/tags?post=4387"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}