Password vulnerability is among the most significant data security risks. Storing plaintext passwords in a SQL database is non-compliant with any standard of best practices. In this article, systems engineer Ravi Bahethi discusses one-way hashing algorithms that can protect user passwords in the event of an attack that reaches password information in an SQL database.
SQL and Vulnerabilities
A Structured Query Language (SQL) is used to facilitate database communication and usage. SQL is the standard language used for database management and is used to update data to a database and to retrieve data from a database in a structured and efficient way.
Under certain conditions, databases managed with SQL can be subject to attacks by hackers seeking to breach the database and steal or manipulate data. An SQL injection is an attack technique that involves inserting malicious code into SQL input into a database that directs the database to dump information from the database to the attacker. Attackers often seek password information without alerting the legitimate database managers, enabling ongoing attacks and malicious activity.
Hash Functions and Password Protection
Hash functions are a way of structuring information in a database that makes storage and retrieval more efficient and consistent. In short, they are computer programs (algorithms) that map data of an arbitrary size to a fixed size. If the parameters of the hash function are set appropriately, the output can be unique. Additionally, it’s very very difficult to impossible to determine the input value, such as a password, from the output value of a hash function. These attributes make Hash functions ideal for use in indexing. There are many types of hash functions, including MD5, SHA-256, and HAVAL. In fact, an entire branch of mathematics exists to understand and create hash functions.
Although hash functions are very good way to store and compare passwords for authentication, they can be defeated. Humans have great difficulty in remembering long passwords and therefore have made our passwords guess-able. Additionally, a long, complex password does not necessarily prevent a computer from determining it in a matter of seconds. This means we need help with our passwords, and this help comes in the form of “salt and pepper,” colloquially known as “salting and peppering your hash function.”
“Salt” or “salting” is when a computer program adds random characters to your password when it’s created. The random characters are stored in an index along with and corresponding to your username or ID. Every time you type your password, the program will add the random characters original created from the table to your password. The program then sends it through the original hash function, producing a hashed password to compare against the index in the program you want to access.
Salting makes your password much longer; therefore, it is harder to guess by a hacker or a complex program. Although this method is good, it is not foolproof. The salt index table needs to be stored somewhere, and sophisticated hackers know where to look for it. Fortunately, the salted password index can be encrypted and hidden. It adds an additional layer of complexity and will thwart all but the most determined hackers.
Because salting involves a retrievable file, it can be compromised. However, “pepper” or peppering, solves this issue. Peppering is the addition of characters to a password upon its creation; this password is then stored in a hash password index table after hashing. This method is colloquially known as “peppering your hash.” The additional character(s) are added by the computer program and not the user, and the added character(s) are not stored and thus cannot be recover or hacked. Since the password the authentication program will need to cycle through a set of characters and test each one, it would take significantly longer for an outside program or hacker to crack and will be much more complex.
The last method, which can be combined with any of the methods above, is one-way hashing. One-way hashing creates hashes that are powerfully structured against transformation back to original values. Commonly used hash algorithms produce hashes that are statistically safe. The brute force calculations needed to revert one-way hashing to plaintext values face the same limitations of most high-quality data encryption methods.
SQL databases can be designed to store hash values of passwords and not any plaintext versions. In order to validate user credentials, an individual user enters their password, which is then processed by the hashing algorithm. The resulting value is matched against the stored hash value for that user. A valid match of hashed data provides user authentication. One way hashing, therefore, protects hashed password information even if an attacker somehow breaches the database and steals the hashed passwords.
About Ravi Bahethi
Ravi Bahethi is a systems engineer and programmer with a strong interest in all things technological. He works hard to provide his clients with customizable and cost-effective solutions and protections against cyber attacks and other threats. Ravi Bahethi is a systems engineer and programmer working in Fortran 77, Fortran 90, C/C++ and SQL on a variety of platforms, including OpenVMS, Tru64 Unix, IRIX, Linux and Windows. When he is not busy managing Maryland-based Terranet Inc., Ravi enjoys taking long walks and playing tennis.