We all have numerous number of accounts and have respective passwords. These accounts may be social, financial, confidential or anything. Are these passwords really providing enough security to your data? Are these passwords really unbreakable? Let's have a look at different methods of storing a password into database.
Methods of storing passwords:
There are three methods of storing a password into database, that can be verified when a user logs in into the account - Plain text passwords, encrypted passwords and hashed passwords.
1. Plain text passwords:
This is the primitive method of saving a password. In this method, a password is saved in the server as a plain text password. If your password is 'password123', then the same 'password123' is saved into the server. When the user requests, this is fetched and compared for authentication. This method of storing passwords is of no use in the present days.
2. Encrypted passwords:
Encryption means hiding the data that can be accessed by authorised parties only. These authorised parties can access the data with the help of 'key'. In the other way, the encrypted data can be accessed by someone who has the 'key'.
Certain websites encrypt and store them into the server. The key for every password is stored into the server along with the password. Unless the website "announces" the key of your password, the password to your account is unbreakable. However, there is a limitation to this method. As the password and the key are saved in the same server, it becomes easy for a hacker to crack a server and retrieve both the key and the password.
In this method, the security of the account depends upon the depth of encryption and the algorithm used for encryption. When compared to plain text passwords, encrypted password are safer. There are different encryption algorithms available - Blowfish algorithm, AES algorithm, ARIA algorithm, RC2, RC4, RC5, RC6 algorithms and so on. Different algorithms produce different keys and different levels of password complexity.
3. Hashed passwords:
Hash codes are created by hashing functions. In hashing there are two types of data - data of arbitrary size and data of fixed size. The hash functions map the arbitrary size data to the fixed size data. This mapping is done by the hashing algorithms.
Passwords are arbitrary in lengths. Hence, these arbitrary passwords are mapped to fixed size data base on particular hashing algorithm. Once data is hashed, it is highly impossible ot reverse-hash and obtain the password. However, the original data and the hashed data seem completely unrelated. Because the hashing algorithms are very complex. For example, the string "Hello world!" comes with a hash of 86fb269d190d2c85f6e0468ceca42a20. Trivial hashing, perfect hashing, md5 hashing, minimal perfect hashing, rolling hashing and universal hashing are some of the commonly used hashing functions.
Wait! Is your data secured after such a complex algorithm? It's obviously a big NO! Because these these passwords can be cracked from random character combinations. The md5 algorithm uses a 32 character combination string for a given password. In order to break the password, one must try (2 power 32) in a permutation of 26 ways, which is highly impossible. There are advanced algorithms that use 64 character combination, which is still more complex to break.
Ideal data security is impossible. In the modern days, data security is provided only by making it far away from being breached.
But how are the complex passwords like r~t3hi@ are providing security?
These passwords are not providing ultimate security. But, they do not allow the hacker to crack them easily!
Methods of storing passwords:
There are three methods of storing a password into database, that can be verified when a user logs in into the account - Plain text passwords, encrypted passwords and hashed passwords.
1. Plain text passwords:
This is the primitive method of saving a password. In this method, a password is saved in the server as a plain text password. If your password is 'password123', then the same 'password123' is saved into the server. When the user requests, this is fetched and compared for authentication. This method of storing passwords is of no use in the present days.
2. Encrypted passwords:
Encryption means hiding the data that can be accessed by authorised parties only. These authorised parties can access the data with the help of 'key'. In the other way, the encrypted data can be accessed by someone who has the 'key'.
Certain websites encrypt and store them into the server. The key for every password is stored into the server along with the password. Unless the website "announces" the key of your password, the password to your account is unbreakable. However, there is a limitation to this method. As the password and the key are saved in the same server, it becomes easy for a hacker to crack a server and retrieve both the key and the password.
Encryption mechanism |
3. Hashed passwords:
Hash codes are created by hashing functions. In hashing there are two types of data - data of arbitrary size and data of fixed size. The hash functions map the arbitrary size data to the fixed size data. This mapping is done by the hashing algorithms.
Hash function |
Wait! Is your data secured after such a complex algorithm? It's obviously a big NO! Because these these passwords can be cracked from random character combinations. The md5 algorithm uses a 32 character combination string for a given password. In order to break the password, one must try (2 power 32) in a permutation of 26 ways, which is highly impossible. There are advanced algorithms that use 64 character combination, which is still more complex to break.
Ideal data security is impossible. In the modern days, data security is provided only by making it far away from being breached.
But how are the complex passwords like r~t3hi@ are providing security?
These passwords are not providing ultimate security. But, they do not allow the hacker to crack them easily!
0 comments:
Post a Comment