Key Concepts in Secure Credential Storage

Introduction

• Security Concern: Applications storing credentials in non-encrypted form (in the clear).
• Risk: Easy access to usernames and passwords if accessed by unauthorized users.
• Recommended Action: Stop using applications that store passwords in plain text; reach out to developers for secure storage methods.

Password Storage Best Practices

• Hashing: Convert passwords to a fixed-length string (hash).
  • Message Digest/Fingerprint: Another term for hash.
  • Characteristics:
    • Different input = different output.
    • Impossible to reverse engineer hash back to original password.
• Security Advantage: Prevents attackers from accessing original passwords.

Example: Hashing with SHA-256

• SHA-256: Hashing algorithm example.
• Differences in hash outputs for similar passwords (e.g., "123456" vs. "1234567").
• Hashes stored in databases prevent retrieval of plain text passwords.

Account Lockout Measures

• Security Mechanism: Account lock-outs after multiple failed login attempts.
• Attacker Strategy: Avoid causing lockouts; instead, use common passwords to test access.
  • Common Passwords: "123456", "123456789", "qwerty", "password", "1234567".

Types of Attacks

Spraying Attack

• Definition: Attempting to access accounts using common passwords without triggering security alarms.
• Process: Try a few common passwords, then move on to other accounts to avoid detection.

Brute Force Attack

• Definition: Systematically checking all possible passwords until the correct one is found.
• Online Challenges: Account lockouts and slow progress.
• Offline Attacks:
  • Download: Obtain a file with hashed passwords.
  • No Lockouts: Unlimited attempts possible.
  • Resources: Requires time and computational power to try every possible hash.

Conclusion

• Recommendation: Use strong hashing algorithms and robust passwords to enhance security.
• Security Awareness: Understanding these concepts is crucial for protecting sensitive information.