Password Storage: Background

Step 0:

• Discussion:
  • We would like to investigate how passwords are stored.
  • Your password, just by its self is in plain text or clear text
    • Why would it be bad to have this stored on a system?
    • Even in a file locked down to root?
  • An encrypted message is a message that has been run through an algorithm to hide it, but should be reversible.
    • For example Caesar's Cipher
      • To encrypt, shift all letters by three (a->d, b->e,... w->z, x->a, y->b z->c)
      • To decode, shift all letters by -3
      • Encrypt "Hello World"
      • Decode "Dwwdfn dw Gdzq!"
      • If you want, cryptii's ceasar-cipherpage.
    • I maintain that in this case, plain text and an encrypted password as equivalent.
      • The decryption algorithm must be well known and publicly usable.
    • And another problem, they are subject to brute force attack.
  • A cryptographic hash function is a one-way function that maps plain text to a fixed size string of bytes.
    • Hash functions can not be reversed
    • We check for validity against a stored hash by
      • Encrypt the supplied password
      • See if it matches the stored hash
• Hash functions can be extended by adding a salt.
  • This permutes the hash table to make brute force attacks more difficult.