Sometimes it is not enough to be a systemsadministrator because customers always want even more service. Hence you need programming skills combined with IT security interest, otherwise your software will blow up the entire customers systems. And this will be way to expensive for you as a freelancer or whatever you are at that moment.
Passwords are often an essential part of nearly every system used by humans. Just take a simple login where you have a webpage including an HTML formular with some Java or PHP in the background. Your page is dynamic so your content will also be stored in a database. How can you guarantee that you and your systems administrator will never ever know your password?
Hash them before you put them into the database. But how and why? First, I give you the answer for the second question. A Hash is nothing more than a string of a fixed size. You hand over a password in form of a string to a specific algorithm and it outputs you a fixed sized string which is totally different to the input and is nearly unique.
Just have a look at this. It tells you a little bit about the complexity of SHA-2 in generaly and not only the 256 Bit variant. I will not dive deep into hashing and what all the symbols mean. Have a look for some articles about SHA-2:
Input String: passw0rd!
Output String: 7dc93b7ac3f6b6accfefbeb2228c219d06f798d1703ee659ed21d750214854cb
Now let me change the input string a tiny bit:
Input String: password!
Output String: 711edc1104070bf2c779da13340601e59f139fd3588fddc3f6f4f8aa7db8c503
It is totally different and this is what it has to be. No one will be able to find a way back from the string to your password in a easy way. Yes there are rainbow tables. It saves time for the attacker because he doesn’t have to create hashes but just to compare the hash to any existent and this is how he finds the corresponding string. You see that there is no way around a secure password because this does not give you any protection.
I am sorry for lying but there is a way to make it better. I have to make a reference here to a very good book called “Practical Cryptography” from Bruce Schneier. Please give it a try if you are very interested in those topics like Hashing or Cryptography. Bruce Schneier says that it is way more safe to make more hashes for one string.
What does this mean? Take a string, hash it, save the result, hash it, save the result, hash it, and so on. The more often you do it the more often has an attacker to do it but he will have to do this steps for billions of strings because he doesn’t know which one is correct. Still not safe enough? Even for those with passwords like “loliloveyousomuchatari”. Where there is simply just no number, symbol or capital letter. It is long but it is not random, it is simply a sentence which I am sure that it is within some rainbowtables out there.
Much more better Solution
Salt! No I do not mean HCl. I mean an extra string for your password. Kept hidden and constant. Let me explain it:
Output String: 5db03e1c7a970b218fb744d5d62abf0299f37f014c590234e28ad784785bc29f
Now you concatenate the salt together with the password. This creates a weird long string but it counts as a users password which has been strenghten by you as the developer. Just make sure no one can hack into your system and steal this salt. I am sure you find a clever way to hide it. If not just wait for more postings from me.
But if you now safe the hash of this weird string, even multiple times like 10 times it gets pretty hard to crack it. A database leak, which happens quite often in the web, could expose all hashes but if your hashes are created out of very random salts together with multiple hashes, the attacker will need a lot of time to find the password. He doesn’t even know that you hashed multiple times nor does he know the salt. Although it is still not enough to make your passwords really safe. What happens when two users are using the same password?