Hey all, a bit of news before I get on with what I’ve learned so far. I recently looked into joining some groups that are in the security industry, the one that caught my eye the most is the OWASP Foundation, so I looked into the Newcastle (where I live, North East England) chapter, messaged the mailing list and was informed the chapter has been inactive for over a year now. So I applied to get chapter leadership rights for this to get it up and running again, so I could help educate both myself and others about application security.
I was recently accepted and have been joined by Mike Goodwin, who has a lot more experience and a much greater network than my own. He also applied for OWASP Newcastle chapter leadership (he applied as I was accepted) so I knew he was passionate about the cause.
So if anybody in the area is interested give me an email, and if you aren’t in the area visit here to get in touch with your local chapter leader. No chapter in your area? Start your own!
Onto the learning.
So I recently visited NEBytes Security Bytes talk, and it was a great talk by Ben Lee over at @bibbleq about various types of encryption.
I’m going to write about something I learned from Ben’s talk.
When you register on a website you put in your username and your password, and the website needs to store both of these values in one way or another. Now it wouldn’t be a good idea if your username (lets use connor) and password (r0nn0c) were stored in the database as connor and r0nn0c, as if the database was ever leaked then the hacker would have full access to your credentials. So the way around this is to hash the password, which means you encrypt it in such a way as it is stored as a different value.
An example would be this image, which outlines how even changing a single character completely changes the hash. This image uses the SHA-1 hash function.
Hashing is not just used for passwords, it can be used for a string of any length.
Hashing seems like a good idea to keep your passwords safe, but many can be broken using various methods. I won’t go into these methods in this article, other than to say many of the attacks are simple brute force attacks, trying many different hashes per second, which is made especially easy as modern GPUs can calculate hundreds of millions of hashes per second with certain algorithms. There are many different types of hacks and ways to get around hashing, so don’t take away from this that brute force is the only or the best way, as brute forcing something that has heavy encryption is usually inconsistent.
On top of the Hash function, there is also the Salt function, where your password gets a set of random characters and symbols added into it (it could be at the beginning of the password, the end or somewhere in between) which then gets converted into a hash, making the decryption significantly harder.
That’s all I’m going to write about for the day, so thanks for reading, if there’s anything you’d like to add or any feedback you’d like to give feel free to comment below and educate the masses.
As always, teach yourself something new today, then teach that to someone else!
I will make a quick edit from time to time to clarify some things I feel I wasn’t clear enough about.
As much as I have mentioned that your password will be stored as a hash, maybe even a salted hash (which is one of the best case scenarios) this may not necessarily be true, if you request a password reset/click forgot password and receive your password back in plain text, then it is being stored in the database as plain text too.