Jump to content

Question about Encrypting passwords

PedroBarbosa

Hey.

 

I am creating my own system of encrypting passwords, in C# but the thing is i don't know how those actually work.

 

Exemple:

 

Login: LTT

Password: LTT

 

is the password encrypted then sees if the saved password encrypted is the same?

 

Or it decrypts the password saved and then see if they match?

 

Or it's my pick?

 

 

 

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

It's not safe to store passwords even encrypted, this is why databeses stores password as hash, then if someone is trying to log in, application hashes provided password, and compares it with hash in database.

You can also salt the password, and think about your own way of salting it makes more difficult to bruteforce hashed password in case of leak of database.

Link to comment
Share on other sites

Link to post
Share on other sites

Hash tables :) 

PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to comment
Share on other sites

Link to post
Share on other sites

It's not safe to store passwords even encrypted, this is why databeses stores password as hash, then if someone is trying to log in, application hashes provided password, and compares it with hash in database.

You can also salt the password, and think about your own way of salting it makes more difficult to bruteforce hashed password in case of leak of database.

 

What's the difference beetween hash and encrypted?

Link to comment
Share on other sites

Link to post
Share on other sites

What's the difference beetween hash and encrypted?

When you hash something you use an aglorithm to place it somewhere in a table. So the password is stored as a hash value, which isn't directly related to the password. 

PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to comment
Share on other sites

Link to post
Share on other sites

And even if you have a hash is not easy for you to know what password it was before hashing. If you use encryption and you are owner of service you can decrypt it and you will know what password someone uses to log in into your service.

Link to comment
Share on other sites

Link to post
Share on other sites

When you hash something you use an aglorithm to place it somewhere in a table. So the password is stored as a hash value, which isn't directly related to the password. 

 

 

And why is that more safer than the password?

Link to comment
Share on other sites

Link to post
Share on other sites

And why is that more safer than the password?

 

 

And even if you have a hash is not easy for you to know what password it was before hashing. If you use encryption and you are owner of service you can decrypt it and you will know what password someone uses to log in into your service.

PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to comment
Share on other sites

Link to post
Share on other sites

When you hash something you use an aglorithm to place it somewhere in a table. So the password is stored as a hash value, which isn't directly related to the password.

Hashing is just taking some input and transforming it into some output, it doesn't have anything to do with tables.

1474412270.2748842

Link to comment
Share on other sites

Link to post
Share on other sites

Hashing is just taking some input and transforming it into some output, it doesn't have anything to do with tables.

Yes, but hash values are often stored in tables and it's a much easier way to explain things. 

 

i.e. input is hashed and compared with a value stored in a table, or the hash value itself is stored in a table -- depending on the application. 

PSU Tier List | CoC

Gaming Build | FreeNAS Server

Spoiler

i5-4690k || Seidon 240m || GTX780 ACX || MSI Z97s SLI Plus || 8GB 2400mhz || 250GB 840 Evo || 1TB WD Blue || H440 (Black/Blue) || Windows 10 Pro || Dell P2414H & BenQ XL2411Z || Ducky Shine Mini || Logitech G502 Proteus Core

Spoiler

FreeNAS 9.3 - Stable || Xeon E3 1230v2 || Supermicro X9SCM-F || 32GB Crucial ECC DDR3 || 3x4TB WD Red (JBOD) || SYBA SI-PEX40064 sata controller || Corsair CX500m || NZXT Source 210.

Link to comment
Share on other sites

Link to post
Share on other sites

Yes, but hash values are often stored in tables and it's a much easier way to explain things. 

 

i.e. input is hashed and compared with a value stored in a table, or the hash value itself is stored in a table -- depending on the application. 

 

Um, no.

 

A hash table (hash map) is a data structure. The hash used in a hash table and the hash used for a password are the same conceptually but VERY different in implementation.

 

And as has been said, hash maps have nothing to do with storing hashes. Database tables don't have anything to do with hash tables, either. You're confusing and mixing all sorts of unrelated terminology.

Link to comment
Share on other sites

Link to post
Share on other sites

Hashing would be a good solution. Like some others have said, hashing is not a hash table. This wiki will help explain it:

 

http://en.wikipedia.org/wiki/Cryptographic_hash_function

 

However a better and more conventional way of storing passwords is to use a nested hash function. 

 

Nested hashing just refers to re-hashing multiple times to increase the time complexity of the operation and thwart brute-force attacks. Often referred to in this context as "key stretching".

 

The accepted best practice is to use a standard hashing algorithm and a salt generated with a cryptographically robust random value algorithm.

Link to comment
Share on other sites

Link to post
Share on other sites

Yes, but hash values are often stored in tables and it's a much easier way to explain things. 

 

i.e. input is hashed and compared with a value stored in a table, or the hash value itself is stored in a table -- depending on the application. 

 

Explain what exactly? And that example makes no sense at all. It doesn't even correctly describe how a hashmap or a hashtable works.

 

If you hash something, it is still the same thing, but with a different representation. That's it.

Link to comment
Share on other sites

Link to post
Share on other sites

Hash the password and then encrypt the hash! Then even if the database is decrypted, all you have is list of hashes which are pretty useless

Link to comment
Share on other sites

Link to post
Share on other sites

Hash the password and then encrypt the hash! Then even if the database is decrypted, all you have is list of hashes which are pretty useless

 

Not necessary; the hashes are useless on their own anyway and the encryption would just slow down the performance of the application. Plus, the weakest link principle applies; hashing is more secure, which is why it is used instead of encryption in the first place.

Link to comment
Share on other sites

Link to post
Share on other sites

Not necessary; the hashes are useless on their own anyway and the encryption would just slow down the performance of the application. Plus, the weakest link principle applies; hashing is more secure, which is why it is used instead of encryption in the first place.

yes it does slow down on the performance BUT if this is for only storing say login information then the extra few milliseconds required to login securely really shouldnt make a big difference as you should only hit the server one time.

Link to comment
Share on other sites

Link to post
Share on other sites

yes it does slow down on the performance BUT if this is for only storing say login information then the extra few milliseconds required to login securely really shouldnt make a big difference as you should only hit the server one time.

 

It doesn't scale with the number of users. And the larger point is that it doesn't increase security so any loss of performance is not justified.

Link to comment
Share on other sites

Link to post
Share on other sites

Use md5 with some salt. (http://en.wikipedia.org/wiki/Salt_%28cryptography%29)

That is one-way-encryption. Which mean that can't be undo if u do it.

Salt is good thing becasue only way to brake encriptyion is to use "Rainbow tables" (http://en.wikipedia.org/wiki/Rainbow_table), that some hackers have that on HDD (Good RT is about ~2TB) it's software with combination of hash and password like:

If password is "123456" let's say that hash is "df8yfsadhujkfsah435v8y9gfvjkhgfs", rainbow tables have both, and if they find mach with hash in table they will decode password.

So when you use salt or prefix. You on defolt password add somthing like used enter password "123456" but you have prefx "somthing_" then users password is "somthing_123456" and hash is entarly different. So rainbow tables cant find mach. Try to make somthing strong for prefx.

 

And you dont need to use only md5 there is more one-way-encryptions as: sha128, sha256, sha512...

Link to comment
Share on other sites

Link to post
Share on other sites

 

And you dont need to use only md5 there is more one-way-encryptions as: sha128, sha256, sha512...

md5 is broken, don't use it for passwords.

1474412270.2748842

Link to comment
Share on other sites

Link to post
Share on other sites

md5 is broken, don't use it for passwords.

 

Plus it's fast, which is bad news for password hashing.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×