Secure Credential Management
Securely storing credentials
Passwords are the most popular method for implementing an authentication system despite their security issues. As a result, a cat-and-mouse game between hackers and defenders has forced several evolutions in how passwords are stored.
Learn Applied Cryptography
Hash functions prevent password theft
The simplest method for implementing a password-based authentication system is to store a list of username/password pairs. When a user attempts to log in, a simple string comparison can determine whether or not the provided password is correct.
The problem with this approach is that, eventually, this file will be stolen or misused. Anyone with access to the password file has complete control over every user account on the system.
For this reason, computers store password hashes rather than the passwords themselves. Since hash functions are deterministic and collision-resistant, comparing a stored password hash and the hash of a provided password is almost as good as comparing the passwords themselves. Additionally, since hash functions are a one-way function, a leak of password hashes does not allow an attacker to reverse-engineer them to learn the original passwords.
Salting protects against rainbow tables
The determinism of hash functions — while essential for their use in password-based authentication systems — also creates issues. Two identical passwords hashed using the same algorithm will produce the same hash output.
This is problematic for a few different reasons. The first is that commonly-used passwords are easily identifiable. Simply looking for the most common hash output in the list and comparing it to the top ten list of common passwords is likely to find a match. Then, all accounts with that password are easily identified and accessible to the attacker.
The second is that hash function determinism makes rainbow tables possible. A rainbow table is a precomputed lookup table of hash outputs and the corresponding input. With a rainbow table for a particular hash algorithm, an attacker can easily identify the passwords associated with various stored hash values.
The practice of salting passwords is designed to deter the use of rainbow tables. A salt is just a publicly-known, unique and random value appended to the password before hashing. Unless an attacker has a rainbow table for that particular salt, then the only way to guess the password is through a brute-force search. Also, since each user on a system should have a unique salt, cracking the password of one user does not break multiple accounts’ security since the attacker can’t simply identify all of the accounts that have the same password hash value.
Key derivation functions deter brute-force attacks
A strong hash function and a unique salt makes it necessary for an attacker to crack passwords via a password guessing attack. Ideally, this should be computationally infeasible since everyone uses unique, long and random passwords.
In practice, a dictionary attack or a brute-force attack on short passwords is likely to have a high probability of success. Modern computers have evolved to the point where they can test a massive number of potential passwords per second.
Key Derivation Functions (KDFs) are designed to make this type of attack less effective by slowing it down. Instead of performing a single hash calculation to transform a password to the value stored by a computer, the hash function is applied repeatedly for a set number of times. For a legitimate user, this has a minimal performance impact, but increasing the time required to test a particular password by a factor of ten has a significant impact on the speed at which a brute-force password guessing attack can be performed.
Only MFA stops weak/reused passwords
For the 65% of people that reuse the same password over multiple or all of their online accounts, no secure credential management strategy is going to solve the problem. If the attacker only has to guess one or two passwords before they find the right one, a KDF will have minimal impact.
This is why multi-factor authentication is essential for any password-based authentication system. If the password provides minimal security for a significant percentage of the population (since 10% of people use one of the 25 most common passwords), a second factor is necessary to protect account security.
Proper credential management
When implementing an authentication system based on passwords, it is important to ensure that credentials are stored securely. In 2019, 1,473 data breaches were reported, and a number of these included hashes of stored passwords. The use of broken hash algorithms or improper use of salting could enable these passwords to be easily cracked by cybercriminals.
Learn Applied Cryptography
Sources
Learn applied cryptography and cryptanalysis
What you'll learn:
- Cryptography fundamentals
- Public key infrastructure
- Blockchain technology
- SSL and TLS
- And more
In this Series
- Secure Credential Management
- How does hashing work: Examples and video walkthrough
- How does encryption work? Examples and video walkthrough
- Planning for post-quantum cryptography: Impact, challenges and next steps
- Beginner’s guide to the basics of data encryption
- Structures of cryptography
- Role of digital signatures in asymmetric cryptography
- What is homomorphic encryption?
- Encryption and etcd: The key to securing Kubernetes
- Quantum cyberattacks: Preparing your organization for the unknown
- An Introduction to asymmetric vs symmetric cryptography
- Breaking misused stream ciphers
- Entropy calculations
- Blockchain and asymmetric cryptography
- Security of the PKI ecosystem
- Elliptic curve cryptography
- Methods for attacking full disk encryption
- Introduction to Public Key Infrastructure (PKI)
- Introduction to the TLS/SSL cryptography protocol
- Introduction to Diffie-Hellman Key Exchange
- Introduction to the Rivest-Shamir-Adleman (RSA) encryption algorithm
- Introduction to full disk encryption
- 8 reasons you may not want to use VPNs
- Rivest Cipher 4 (RC4)
- Understanding stream ciphers in cryptography
- Cryptography Errors
- Understanding block ciphers in cryptography
- How to mitigate Credential Management Vulnerabilities
- How To Exploit Credential Management Vulnerabilities
- Poor Credential Management
- How Is Cryptography Used In Applications?
- Decrypting Downloaded Files
- Introduction to hash functions
- Introduction to Asymmetric Cryptography
- The Advanced Encryption Standard (AES)
- Fundamentals of symmetric and asymmetric cryptography
- Case Studies in Poor Password Management
- The ultimate guide to encryption key management
- Principles of cryptography
- Encryption vs Encoding
- Introduction to Cryptanalysis
- Introduction to Blockchain
- Blockchain Technology
- Virtual Private Networks (VPNs)
- Public Key Infrastructure: Architecture & Security
- Hash Functions
- Asymmetric Cryptography
- Fundamentals of Cryptography
- Symmetric Cryptography
- Introduction to cryptography
- Best tools to perform steganography [updated 2020]
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
