Solved

Is 'hashed password salting' applicable to Android, C#, .Net & Java coding ?

Posted on 2016-08-14
2
55 Views
Last Modified: 2016-08-14
"Hashed password should be salted to prevent rainbow table attack. The salt value should be unique and have reasonable length for each user" :
I saw the above secure coding standard being proposed by our apps development vendor.
I've always thought salting is for database stored items/passwords, so is the above standard
applicable to apps coding?
0
Comment
Question by:sunhux
2 Comments
 
LVL 30

Assisted Solution

by:Alexandre Simões
Alexandre Simões earned 80 total points
ID: 41755371
Encryption strategies have nothing to do with platform or logical area they are being used.
All efforts to prevent something that is encrypted from being decrypted by an unauthorized party should be welcome.

For me, the question is always related to the confidentiality of what is being encrypted versus the encryption method complexity.
The platform should be pretty much transparent.

In your case, you're speaking about passwords anyway. Isn't this related to the storage of the passwords?

Cheers,
Alex
0
 
LVL 61

Accepted Solution

by:
btan earned 420 total points
ID: 41755378
Salting on top of hashing is to add deterrence from hash cracking. Any application requires use of password should ensure strong password hash created prior to storing like in the DB or other form of directory store. It is not only pertaining to DB though it is the common main store of user account details for applications. Some even use the salt (as per in PBKDF2(PRF, Password, Salt, c, dkLen) scheme) to derive a key for user specific encryption or the concern account use case. In the latter case, salts are closely related to the concept of nonce.

System storing simple non-salted password hash will not slows down the attacker, hashes are commonly cracked by Dictionary Attacks, Brute Force Attacks, Lookup (pre-compute), Reverse Lookup (w/o pre-compute) or Rainbow (time-memory trade-off ) Tables.

Specifically, lookup tables and rainbow tables only work because each password is hashed the same way. So users with same password will have same hashes - easily discovered and revealed. Therefore, randomising each hash even with same password has introduced a random string, and called salt (as you may know already). Of course, this does not fully deter, an important part is to also adopt a slow hash functions
To make these attacks less effective, we can use a technique known as key stretching.

The idea is to make the hash function very slow, so that even with a fast GPU or custom hardware, dictionary and brute-force attacks are too slow to be worthwhile.
Key stretching is implemented using a special type of CPU-intensive hash function. Don't try to invent your own–simply iteratively hashing the hash of the password isn't enough as it can be parallelized in hardware and executed as fast as a normal hash.
These algorithms take a security factor or iteration count as an argument. This value determines how slow the hash function will be.
and choosing a "random" unique salt e.g.
Salt should be generated using a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG). CSPRNGs are very different than ordinary pseudo-random number generators, like the "C" language's rand() function.
The salt needs to be unique per-user per-password. Every time a user creates an account or changes their password, the password should be hashed using a new random salt. Never reuse a salt. The salt also needs to be long, so that there are many possible salts. As a rule of thumb, make your salt is at least as long as the hash function's output. The salt should be stored in the user account table alongside the hash.
http://www.codeproject.com/Articles/704865/Salted-Password-Hashing-Doing-it-Right

Do see the OWASP password strategy
Use a cryptographically strong credential-specific salt

A salt is fixed-length cryptographically-strong random value. Append credential data to the salt and use this as input to a protective function. Store the protected form appended to the salt as follows:

[protected form] = [salt] + protect([protection func], [salt] + [credential]);
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

and also catch EE article for choosing strong passphrase in specific to 2FA
6.Many online accounts offer something called two-factor authentication, also known as two-step verification or 2FA. This is where you need more than just your passphrase to log in, such a passcode sent to your smartphone. This option is much more secure than just a passphrase by itself. Whenever possible, always use these stronger methods of authentication.
https://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html
1

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now