Solved

Password Hashing vs Encryption for long term viability

Posted on 2016-08-03
3
86 Views
Last Modified: 2016-08-06
Hi there,
I currently store all of our users passwords in our database using AES encryption with unique salt per user combined with a site specific encryption key.

I'm looking at increasing our security by implementing password hashing so that the users passwords are not stored in our database in a way that they can be retrieved if the database becomes compromised.

The issue that I am slowly realising is that once I implement password hashing I will most likely be unable to change algorithms in the future.

For example :
Originally people were told to use MD5 hashing on their passwords.

That became compromised/easily cracked so they started using SHA hashing.

That again changed and people were told to use the more secure SHA128, SHA256, SHA512 algorithms etc etc

If my users passwords were originally stored as an MD5 hash am I stuck using that forever?  Without access to the original password I'm unable to change to a newer hashing algorithm.

Before I hash my passwords and delete my encrypted passwords I would like to know how people handle the task of upgrading hashing algorithms?

Or should I stick to using encryption?
0
Comment
Question by:SoLost
3 Comments
 
LVL 61

Expert Comment

by:btan
ID: 41741823
It should be straightforward as long as you keep to security practices that
1) no password are stored in plain
2) no weak hash is used
3) strong passphrase enforced
4) second factor authentication used
5) password recovery and revocation verified regularly.
6) policy to govern the account and access right are checked and reviewed regularly
7) audit trail for account changes esp privileged user like admin is verified and available to alert on anomalous activities

Use of salt is good for hmac hashed password like the use of PKCS#5.

Use of SHA2 family is the Secure hash (there is already Sha3) as other has surface been very susceptible to bruteforce scheme.

You should stick with keeping strong passphrase, Sha2 family and ultimately second factor authentication will give you high assurance and deterrence against adversories.

You can check an EE article on atrong passphrase
https://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html
0
 
LVL 29

Accepted Solution

by:
Olaf Doschke earned 500 total points
ID: 41741877
A change of hashing means you have a grace period of allowing old and new hash checks. Since you have the password at time of login you can hash it with a stronger hash algorithm and then mark that users record to using the new hash.

Here's how that's ideally implemented in a situation with compromised user data: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Design_password_storage_assuming_eventual_compromise

One part of it says you better only allow the old hash login with a 2nd factor or secret question answer as in a password recovery process. You don't need that in case you're not recovering from a hack of the data, but it's a good idea to start implementing such mechanisms for future cases. You can make the transition quite secretly, but if you wish to accelerate the transition you may mail users to log in to make that transition, you obviously can't make it without their login, as you don't store the password.

With users logging in rarely, you might suspend their account and enforce them to go through password recovery. That could be done perhaps one week/month after the new hash is rolled out and the users still didn't re login.

Bye, Olaf.
0
 
LVL 5

Author Closing Comment

by:SoLost
ID: 41745934
Thank you, exactly what I was looking for.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Sql query 34 18
Sql query to Stored Procedure 6 15
When to use an Aggregate Function. 18 33
Access Migration to Sql Server 2 18
When the confidentiality and security of your data is a must, trust the highly encrypted cloud fax portfolio used by 12 million businesses worldwide, including nearly half of the Fortune 500.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Via a live example, show how to take different types of Oracle backups using RMAN.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now