Published on
Keeping user passwords secure should be a top priority for every system administrator. Stolen login credentials are one of the easiest and most common ways for cybercriminals to gain entry to systems and wreak havoc, as recent headline-making breaches have made clear.
If your organization is still storing user passwords as plaintext files, you are exposing your data to unnecessary risk. Hashing and salting are strategies you should implement to keep your password data as secure as possible.
Not sure where to begin? We have rolled out three new sandbox-based, web application lessons that will help your organization move from password exposed to password secure.
Secure Password Storage: Lesson One
This lesson focuses on registration functionality, specifically a comparison of plaintext versus hashed user passwords. The coding exercise is framed in the context of a SQL injection attack, where the attacker gains access to plaintext passwords. Once this information is obtained, the attacker can authenticate as someone else and gain access to internal systems.
After completing this lesson, the learner should:
- Understand the fundamentals of hashing – what it is and how it works
- Identify techniques for hashing in different programming languages
- Leverage hashing to harden storage of user passwords
- Know the downsides to a hash-only approach
Learners will have the opportunity to practice patch testing for:
- 500 Error
- Normal login/registration functionality
- Test vulnerability: register new user >> look up stored password in database
Secure Password Storage: Lesson Two
This lesson dives deeper into the shortcomings of relying solely on hashing to protect passwords. It also introduces learners to the complementary technique of salting for added security.
After completing this lesson, the learner should:
- Understand the fundamentals of salts – what they are, how they are created, and the properties of secure salt generation functions
- Identify techniques for generating salts in different languages
- Learn how to incorporate salting into the hash-only authorization flow from Lesson One
- Know the basics of key derivative functions, including why they are used instead of simpler approaches
- 500 Error
- Normal login/registration functionality
- Test vulnerability: register two users with identical passwords >> ensure passwords do not match
Secure Password Storage: Lesson Three
This lesson will explore the weaknesses of using fast hashing algorithms like MD5 or SHA-256 and discuss alternative key derivative functions (KDF), including argon2. This final lesson in this series is intended to align with and supplement complementary video lessons on password hashing, including C+ Hashing Passwords and Java Hashing Passwords on the Security Journey platform.
Upon completion, learners should:
- Understand why fast hashing algorithms are insecure, even with salts
- Explain differences between hash functions and KDFs
- Know and explain key stretching
- Describe how KDFs can be tuned to meet security needs using parameters
- Incorporate argon2 into an insecure authentication scheme
Learners will have the opportunity to practice patch testing for:
- 500 Error
- Normal login/registration functionality
- Test vulnerability: check format of stored keys and verify stored keys using library-provided functions
For more information on these new lessons, reach out to your Customer Success Manager or schedule a demo to learn more.
