Secure Credential Management
Securely storing credentials
Passwords are the most popular method for implementing an authentication system despite their security issues. As a result, a cat-and-mouse game between hackers and defenders has forced several evolutions in how passwords are stored.
Hash functions prevent password theft
The simplest method for implementing a password-based authentication system is to store a list of username/password pairs. When a user attempts to log in, a simple string comparison can determine whether or not the provided password is correct.
The problem with this approach is that, eventually, this file will be stolen or misused. Anyone with access to the password file has complete control over every user account on the system.
For this reason, computers store password hashes rather than the passwords themselves. Since hash functions are deterministic and collision-resistant, comparing a stored password hash and the hash of a provided password is almost as good as comparing the passwords themselves. Additionally, since hash functions are a one-way function, a leak of password hashes does not allow an attacker to reverse-engineer them to learn the original passwords.
Salting protects against rainbow tables
The determinism of hash functions — while essential for their use in password-based authentication systems — also creates issues. Two identical passwords hashed using the same algorithm will produce the same hash output.
This is problematic for a few different reasons. The first is that commonly-used passwords are easily identifiable. Simply looking for the most common hash output in the list and comparing it to the top ten list of common passwords is likely to find a match. Then, all accounts with that password are easily identified and accessible to the attacker.
The second is that hash function determinism makes rainbow tables possible. A rainbow table is a precomputed lookup table of hash outputs and the corresponding input. With a rainbow table for a particular hash algorithm, an attacker can easily identify the passwords associated with various stored hash values.
The practice of salting passwords is designed to deter the use of rainbow tables. A salt is just a publicly-known, unique and random value appended to the password before hashing. Unless an attacker has a rainbow table for that particular salt, then the only way to guess the password is through a brute-force search. Also, since each user on a system should have a unique salt, cracking the password of one user does not break multiple accounts’ security since the attacker can’t simply identify all of the accounts that have the same password hash value.
Key derivation functions deter brute-force attacks
A strong hash function and a unique salt makes it necessary for an attacker to crack passwords via a password guessing attack. Ideally, this should be computationally infeasible since everyone uses unique, long and random passwords.
In practice, a dictionary attack or a brute-force attack on short passwords is likely to have a high probability of success. Modern computers have evolved to the point where they can test a massive number of potential passwords per second.
Key Derivation Functions (KDFs) are designed to make this type of attack less effective by slowing it down. Instead of performing a single hash calculation to transform a password to the value stored by a computer, the hash function is applied repeatedly for a set number of times. For a legitimate user, this has a minimal performance impact, but increasing the time required to test a particular password by a factor of ten has a significant impact on the speed at which a brute-force password guessing attack can be performed.
Only MFA stops weak/reused passwords
For the 65% of people that reuse the same password over multiple or all of their online accounts, no secure credential management strategy is going to solve the problem. If the attacker only has to guess one or two passwords before they find the right one, a KDF will have minimal impact.
This is why multi-factor authentication is essential for any password-based authentication system. If the password provides minimal security for a significant percentage of the population (since 10% of people use one of the 25 most common passwords), a second factor is necessary to protect account security.
Proper credential management
When implementing an authentication system based on passwords, it is important to ensure that credentials are stored securely. In 2019, 1,473 data breaches were reported, and a number of these included hashes of stored passwords. The use of broken hash algorithms or improper use of salting could enable these passwords to be easily cracked by cybercriminals.