Hashing Algorithms for storing Passwords

Almost every week, an ever-growing list of data breaches occur around the world. In a lot of cases, attackers ultimately gain access to sensitive information such as a hashed password database. This type of information can be useful for the bad guys when targeting specific organisations and/or people.

With the unfortunate trend of password-reuse, if an attacker can obtain credentials from a third-party website that includes company-registered email addresses, it’s likely these credentials will provide an easy foothold into the targeted organisation. When valid credentials are used, this can aid attackers in hiding in plain sight and slipping through existing security controls which makes it difficult to detect and respond.

In addition, selling of such information on the dark web can provide substantial monetary value to the bad guys. An alarming observation of recent attacks is how credentials are stored. Many of the recent breaches (small and large) are using old, outdated and insecure methods for today’s standards such as MD5, unsalted SHA variations and even plain-text passwords. These methods can be trivial for an attacker to retrieve the plain-text passwords through brute-force password cracking.

hashing algorithms for storing passwords

The ISM and NIST provide guidance and recommendations for storing passwords. As a summary:

ISM: As per control 1252, agencies must store credentials in a hashed format using a strong hashing algorithm that is uniquely salted. For example, a hashing algorithm from at least the SHA2 family.
NIST: Passwords must be hashed (SHA1-3) and salted with at least 32-bits of data.

It’s recommended to ensure best-practices and hardening guides are followed to protect such sensitive information. In addition, layering security controls such as implementing MFA provides an extra level of protection. The goal here is to ensure that if a breach occurs, brute-force type attacks would prove impractical.

Author: David Roccasalva.

Call T(AU): 1800 996 001, T(NZ): +64 9 222 4725, T(SG): +65 6631 8375, T(MY): +603 2788 3709 to book with Privasec Red Consultant, David Roccasalva.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Hashing Algorithms for storing Passwords

Our Services

.

Quick Links

Get In Touch

Find Us

Our Services

.

Quick Links

Get In Touch

Find Us

This Website Uses Cookies