# Read this before you save your next password. (Authentication). ###### tags: `learning` `tutorials` - slow hashing - hashing - hashing salting - encryption - plain text Tier F Storing passwords like normal data, in a normal column , This is called storing password in plaintext... Hashing Not storing the actual password, storing the hashed password And when we query for login we query the hash and not the password. - Cases of users having the same password. - With enough hints hashed password can be guessed Protects and keeps data such as strings (passwords) or files secure. Hashing is also used in data encryption. Passwords can be stored in the form of their hashes so that even if a database is breached, plaintext passwords are not accessible. MD5, SHA-1 and SHA-2 are popular cryptographic hashes. Hashing is the process of converting a given key into another value. A hash function is used to generate the new value according to a mathematical algorithm. The result of a hash function is known as a hash value or simply, a hash. In cryptography, a hash function is a mathematical algorithm that maps data of any size to a bit string of a fixed size. We can refer to the function input as message or simply as input. The fixed-size string function output is known as the hash or the message digest. As stated by OWASP, hash functions used in cryptography have the following key properties: A good hash function uses a one-way hashing algorithm, or in other words, the hash cannot be converted back into the original key. In hashing data is converted to a message digest or hash, which is a number generated from a string of text. These digests are important as one can easily match the hash of sent and received messages to ensure that both are the same and no tempering is done with the data. Hashing Is a digital signature. It originally designed to check if data was modified. Write the document text -> send both the docu and hashing results via internet ---> Recieves the Document Text. It runs the recieved text in to a hash function nd the compare the hash hash(hello) hash(hllo) Hashing Is a one-way process Hashing - Birthhday Problem Hashing is a technique to generate a unique fixed-length string (a hash) strictly depending on the specific input data. Hash is strictly dependent on the perceived input data. Hence any little change in the input data leads to a change in the generated hash no matter how small or big the changes are 5 Hashing Assumptions 1. The resulting hash has a fixed length 2. The same input always produces the same output 3. Multiple different inputs should not produce the same output 4. It must not be possible to obtain the input data from the output data 5. Any change to the input data implies a different resulting hash. Ideal hash functions has three Hashing Algo Blowfish, md5, sha1, sha256 etc. It is also advisable to use salts with hash to make it more secured - Purpose: Verification Od data - Used For Many Sending Files, passwords, searching. encryption - Data Retrieval Mechanism: Cannot be reversed back to its original form. -Algorithm ex MD5 algo is created for a 128 bit message digest from data -Example Hashing produces a fixed length signature: If u hash a single word you would get 50 characters back , if you hash a book you would get 50charcters, Hashing is more like a signature. Hashing process is one way. Data when hash can not be retrieved. You never want to store a clear text password into your data base. To verified a hashed password we have to hash the users login password and compare. Since hash algo returns same hash every time for same word if they don't match then the password is incorrect. Hashing is a one way function It is like you have a cow and put it in a machine you get an hamburger you cant get your cow back. Salting - A unique random number -- added to each password before hashing. - Using salting makes it harder to guess passwords - But they are fast computations - The word salting was generated from ancient time where if one attacks a enemy land and just dumps lot of salts on their land to make them fultile. Now we can do the same thing to our password. Making them useless to Hackers and Rainbow Table. - Salting also prevents two users from having the same hash. Hashing has several key uses in computer science. One that perhaps receives the most attention today in a world where cybersecurity is key is the use of hashing in encryption. Because hashed strings and inputs are not in their original form, they can't be stolen the way they could be if they are not hashed. If a hacker reaches into a database and finds an original string like "John's wallet ID 34567," they can simply glean, nab or pilfer this information and use it to their advantage, but if they instead find a hash value like "a67b2," that information is completely useless to them, unless they have a key to decipher it. SHA-1, SHA-2, and MD5, are popular cryptographic hashes. A good hash function for security purposes must be a unidirectional process that uses a one-way hashing algorithm. Otherwise, hackers could easily reverse engineer the hash to convert it back to the original data, defeating the purpose of the encryption in the first place. To further increase the uniqueness of encrypted outputs, random data could be added to the input of a hash function. This technique is known as “salting” and guarantees unique output even in the case of identical inputs. For example, hackers can guess users’ passwords in a database using a rainbow table or access them using a dictionary attack. Some users may share the same password that, if guessed by the hacker, is stolen for all of them. Adding the salt prevents the hacker from accessing these non-unique passwords as each hash value will now be unique, and will stop any rainbow table attack. Using Hashing in Database Retrieval If a hashing algorithm is very large it could result in a birthday problem. This is where two items produce the same hash result. Encryption encodes are 100% of the original text ## Encryption ### Data Encryption Pros - Separation: The data is separate from the security of the device when you use encryption. The encryption is also secure and allows administrators to store and transmit data through unsecured means. - No Data Infiltration: Data encryption ensures that your data cannot be easily hacked or breached. It additionally provides ensured protection of intellectual property and other types of data. - Encryption Is On The Data: The data is encrypted directly and hence is protected regardless of how it is transmitted, but typical emails can be an exception to this as it does not provide adequate security. - Encryption Equals Confidentiality: Encryption of your data ensures that the person who has the key to decoding the data is the only person who can read it. ### Data Encryption Cons - Encryption Keys: It is extremely elaborate work for IT professionals and handling all the keys requires a lot of effort for. Once the encryption is lost, the data associated with it will also be lost. - Expense: Data encryption is quite expensive because the systems that maintain data encryption need to be constantly upgraded and must have storage capacity systems - Unrealistic Requirements: It is necessary for organisations to understand the restraints imposed by data encryption technology, without which you could jeopardize the data encryption security. This is the process of transforming information (referred to as plaintext) using an algorithm (called cipher ) to make it unreadable to anyone except those who know the secret key. The result of the process is encrypted information (in cryptography, referred to as cipher text). Encryption is more like a safe: If you know the key and have the safe. You can get into it It is a technique that makes your data unreadable and hard to decode for unauthorized parties. The purpose of encryption is different from encoding encryption aims on making data hard to decode while encoding converts data into another format while making it easy to decode and revert. The main goal of encryption is to promote data confidentiality. Like encoding, encryption is a reversible process as well, although with authorised people with key To get back to the plaintext (the reverse of the encryption = decryption) an individual will need to know the key and the encryption algorithm used. Popular encryption algorithms are AES, Blowfish, RSA etc. - Purpose: is used to transform data in order to keep it secret from others - Used for: For maintaining data confidentiality i.e to ensure the data cannot be consumed by anyone other than the intended recipient(s) - Data Retrieval Mechanism: Original Data can be Obtained if we Know the key and encryption algorithm used - Algorithm ex: AES, Blowfish, RSA. -Example: Sending Someone a secret letter that only them should be able to read or securely sending a password over the internet. ## Encoding A technique to transform data from one format to another so that it can be understood and consumed by different systems. It has to do with information representation. eg ASCII Encoding transforms data into another format using a scheme that is publicly available so that it can easily be reversed It does not require a key as the only thing required to decode it is the algorithm that was used to encode it. It has no security purpose, Ex. base64, sending files in email, URL encoding, encoding MPEG-1 to AVI, encoding WAV to MP3 etc. Encoding: - Purpose: Transforms data so that it can be properly consumed by a different type of sys - Used for Maintaining data usability i.e To ensure it is able to be properly consumed. - Data retrieval Mechanism: No key required and can easily be reversed provided we know what algorithm was used in encoding - Algorithm used : ASCII, Unicode, Url Encoding, Base64 - Binary data.... ## Programming Tip: Never tell user if it was the username or password they got wrong If you tell them all they have to do is to guess the second halve. Always display a generic message like "invalid username or password". This prevents attackers from enumerating valid usernames without knowing their password. ## JWT -- Uses Encoding