๐Ÿ”

Password Security Best Practices

Jun 16, 2025

Overview

This lecture covers best practices for password storage and verification, explains hashing and its importance, and describes brute-force and dictionary password attacks.

Password Storage Practices

  • Passwords should never be stored in plaintext (human-readable) format.
  • Storing passwords in plaintext risks exposing all user credentials if the file is accessed.
  • Always store passwords securely using techniques that prevent easy password discovery.

Hashing and Its Benefits

  • Hashing transforms data, like passwords, into a fixed-length string called a message digest or fingerprint.
  • Hashes are one-way: you cannot reverse a hash to get the original password.
  • Different passwords, even if only slightly changed, result in very different hashes.
  • Hashes conceal the passwordโ€™s length and complexity, all hashes are the same length for a given algorithm (e.g., SHA-256).
  • Hashing is not encryption; it cannot be undone to recover the original data.

Password Hash Storage Example

  • Operating systems like Linux store hashed passwords in protected files (e.g., the shadow file).
  • Only authorized users can access these files to protect credential security.

Brute Force Attacks

  • Brute force attacks try every possible password combination until a match is found.
  • The longer and more complex the password, the longer brute force attacks take.
  • Online brute force attacks are slow and often result in account lockouts after several failed attempts.
  • Offline brute force attacks, using stolen hash files, are much faster and do not require interacting with the login system.

Dictionary Attacks

  • Dictionary attacks use common words and phrases instead of random combinations to speed up password discovery.
  • Custom or specialized word lists can be used for different organizations or industries.
  • Modifications like changing letters to symbols are also tried in advanced dictionary attacks.
  • Dictionary attacks are less effective against complex, non-word passwords.

Key Terms & Definitions

  • Plaintext password โ€” a password stored in human-readable form without protection.
  • Hashing โ€” transforming data into a fixed-length digest using a one-way algorithm.
  • Message digest โ€” the output of a hash function; another term for a hash.
  • Brute force attack โ€” systematically trying all possible password combinations to find a match.
  • Dictionary attack โ€” attempting likely passwords using a predefined list of common words.

Action Items / Next Steps

  • Avoid using applications that store passwords in plaintext.
  • Prefer applications that securely hash and store passwords.
  • Consider using multi-factor authentication for better security.

Full transcript