Hashes & Hashing

[Pigoo]

Can someone please explain what "hashes" or hashing" is in terms of website security/passwords? I did some quick internet seaches on the topic...and couldn't get a clear answer.

Can someone(s)...give a "Hashes for Dummies." explanation?...assume I know nothing (which wouldn't be far from the truth)!

And can someone comment on the website "hashes.org" please. It wasn't really clear to me what the main purpose of this website was (good, evil, or otherwise). If "hashes or hashing" is a bad thing...this sites forum section seems to contain a bunch of discussions on how to do it.

Thank you.

 

[pierce]

hashing is the term for the security output of an encrypted piece of text that is not de-crypt-able.

for example, and md5 -hash- would be like:

md5(mypassword) = 34819D7BEEABB9260A5C854BC85B3E44

https://passwordsgenerator.net/md5-hash-generator/

You don't use md5 because its now insecure and has moved onwards and upwards since sha is the next evolution

sha512(mypassword)= A336F671080FBF4F2A230F313560DDF0D0C12DFCF1741E49E8722A234673037DC493CAA8D291D8025F71089D63CEA809CC8AE53E5B17054806837DBE4099C4CA

You can see the size of the hash has increased even though the text size(mypassword) amount has not. Now the output length of the hash does not change. Even if you enter a book of text it will be the same length.

The hash size is important because it means that collisions are less likely (a method in which somebody enters large volumes of random text to generated the same hash) which would allow them to log in despite not having your password.

Also the same goes for the rainbow table method to decrypt. The longer the hash the more space/storage/memory/processing power etc you need.

a= hash1
b=hash2
c=hash3

etc, basically creating an index of hashes so if they have the hash they can reverse the password. This can be obfuscated by introducing what is known as a "SALT". for example you might elect to have website-common-security-key as your "SALT" which means it would look like this:

md5(mypassword+website-common-security-key) = E16275B3EEAAB99E35A3A1650CF9C4C8

Obviously it would be better to use a very long hash thats very random like this: https://passwordsgenerator.net/

==========

Having said all of that, if your using a programming language you should see the best method of doing passwords. Example you should use php's password_hash http://php.net/manual/en/function.password-hash.php but consult the language that is being used.

You will see even in PHP documentation in PHP 7 it is preferred that you do not specify a SALT, this is because the wrong salt could actually make it easier to brute force a password, but without going into full blown math and cryptography I cannot fully explain why that is and even start to understand it.

=========

Hashes are also used to verify files. You will find in linux sha512sum and md5sum can be used. This is useful to prevent man-in-the-middle attacks or to ensure that the file has not become corrupt during transport.

=========

I hope that helps explain what a HASH is.

 

[Pigoo]

First...thanks so much for taking the time to post such a detailed post!

I'm gonna guess you may have "dumbed" things down a bit...but even with some "dumbing down"...still was little over my head.

hashing is the term for the security output of an encrypted piece of text that is not de-crypt-able.

For example, and md5 -hash- would be like:

md5(mypassword) = 34819D7BEEABB9260A5C854BC85B3E44

You don't use md5 because its now insecure and has moved onwards and upwards since sha is the next evolution

sha512(mypassword)= A336F671080FBF4F2A230F313560DDF0D0C12DFCF1741E49E8722A234673037DC493CAA8D291D8025F71089D63CEA809CC8AE53E5B17054806837DBE4099C4CA

You can see the size of the hash has increased even though the text size(mypassword) amount has not. Now the output length of the hash does not change. Even if you enter a book of text it will be the same length.

Let me see if I understand what was written. The "hash" is a string of numbers & letters that acts like a hurdle to someone trying to hack a website and steal password information.

- The older "md5" standard looks like it has 32 digits to it.
- The newer "sha512" standard looks like it has 128 digits to it.

Does each password on a website have a unique "md5" or "sha512" hash associated with it?...and is a hash always the same (forever & ever)...or does the hash change each time a member logs in?

And I'm guessing that if a hacker is trying to steal passwords...they need to be using a hacking algorithm that gets the hash 100% correct before the password is stolen (is this correct)?

Thanks again.

 

[pierce]

If your password is bunny1 and mine is bunny1 then the hash will be the same unless it's salted.

Using md5 or sha type encryption the hash will always be the same as long as the password is not updated. The example of php's password function is different every time. I'm not intimate on how that works exactly.

An attacker needs to guess the exact password to log in. Or they need a vunrability. For example if you can extract a login session from unencrypted data. Or if you reuse the password everywhere. There's a lot of creative ways. I once seen someone upload php code that effectively gave them root shell access in which case they just downloaded the database.

So the process of using a hash is:

Store users password as a hash only.

When the user logs in, hash the password and compare to value stored in the database. If it matches move forward if not enter password again.

Hope that helps.

 

[Pigoo]

If your password is bunny1 and mine is bunny1 then the hash will be the same unless it's salted.

Well...I do like salt on my bunny!

Using md5 or sha type encryption the hash will always be the same as long as the password is not updated. The example of php's password function is different every time. I'm not intimate on how that works exactly.

An attacker needs to guess the exact password to log in. Or they need a vunrability. For example if you can extract a login session from unencrypted data. Or if you reuse the password everywhere. There's a lot of creative ways. I once seen someone upload php code that effectively gave them root shell access in which case they just downloaded the database.

So the process of using a hash is:

Store users password as a hash only.

When the user logs in, hash the password and compare to value stored in the database. If it matches move forward if not enter password again.

Hope that helps.

I think it helps some.

Here's what all this boils down to. My site runs on vBulletin 4.2.5. What can I do to make sure that I'm doing all I can to prevent any sort of password or account security breaches?

Thanks

 

[pierce]

My vb3 site was breached based on the arcade addon.

They managed to download the entire user database. An action that swiftly killed the growth of the site.

Keep vb4 up to date(ok i know some of you just cant stop laughing right about now).

Then to secure the site by having it proxied through a web application firewall (WAF) securi, cloudflare and multiple other companies offer this service.

Then block everything on the server except mail ports, and https/http to the WAF firewall.

That doesn't mean there isn't a security vunrability somewhere in a WAF firewall its just another hurdle and will take care of the obvious stuff like sql injection or people trying to post really random text that might be code.

 

[Pigoo]

My vb3 site was breached based on the arcade addon.

They managed to download the entire user database. An action that swiftly killed the growth of the site.

Holy crap...that's absolutely awful. That's sounds like pretty much the worst thing that could happen.

Keep vb4 up to date(ok i know some of you just cant stop laughing right about now).

Then to secure the site by having it proxied through a web application firewall (WAF) securi, cloudflare and multiple other companies offer this service.

Then block everything on the server except mail ports, and https/http to the WAF firewall.

That doesn't mean there isn't a security vunrability somewhere in a WAF firewall its just another hurdle and will take care of the obvious stuff like sql injection or people trying to post really random text that might be code.

I'm going to look into this...hopefully it's affordable.

Thanks very much for all the info!

 

[Pigoo]

Kinda waking up this thread a bit. I've been looking into running my website thru one of the services mentioned above (Surcuri & Cloudflare) to protect the site better from hacking. Anyone else have any company recommendations before I make a choice?

Thanks

 

[Pigoo]

So far from what I'm seeing (between Surcuri & Cloudflare)...Surcuri's website seems much more straightforward & Sururi has live chat for questions. The Cloudflare site seems overly complicated & has no live chat as far as I can tell.

 

[MagicalAzareal]

Hashing is essentially mathematics that transforms a piece of text into something that is completely different from the input and has certain mathematical properties which makes it extremely computationally intensive to go back the other way.

One thing it is used for is storing passwords, as to check it, you simply need to transform it to the hashed form, compare it with the stored hash and let the user in. You don't have to store the password itself which means that if the site is compromised, then the intruder won't know what the user's password is.

Something to keep in mind is that users will often reuse the same password on a lot of different sites, so if they're compromised on one, then they may be in for a very rough time on others, which may even include bank accounts or social media accounts.