DZone
Security Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Security Zone > BlowFish, the Only Way to Secure Your Passwords

BlowFish, the Only Way to Secure Your Passwords

Thomas Hansen user avatar by
Thomas Hansen
CORE ·
Feb. 11, 20 · Security Zone · Tutorial
Like (4)
Save
Tweet
8.81K Views

Join the DZone community and get the full member experience.

Join For Free

I work in ForEx, one of the largest markets in the world, averaging 5.1 trillion dollars worth of trades on a daily basis. My employer also happens to be one of the largest brokers in the world, and I am a technical project lead for one of their main applications. In other words, the software my team and I work on is responsible for moving billions of dollars on a daily basis.

Being a paranoid schizophrenic is arguably a prerequisite for my job; if I fail at securing data, civilization as we know it might cease to exist. Hence, I'll try to teach you in this article how you can secure your passwords — with brute force guarantee. I present to you, a fishing trip, fishing for BlowFish.

Blowfish in ocean

Cute little fellow, isn't he?

Hashing Your Passwords

Storing your passwords in plain text is pure madness. If you currently do this, please unplug all of your servers and voluntarily commit yourself to unemployment or, alternatively, flipping burgers at McDonald's or something. Hashing your passwords gives a guarantee for your clients, simply because human beings are simple, and they'll often use the same password at Facebook as they use for their internet banking.

Therefore, if a black hat hacker can get to your database, he/she can also probably break into all of your clients' bank accounts. So, regardless of how "innocent" your app is, the way you store your passwords might have repercussions to far larger things than "your app..."

OK, so we've gotten this far without having a nervous breakdown, and you're already hashing your passwords. Let me teach you a new concept: Rainbow Dictionary Attacks!

A Rainbow Dictionary Attack implies taking all possible combinations of letters, numbers, and special characters, hashing them into a database, and then using them to "diff" this database towards another database. Using a simple brute force, an average laptop can compute every single combinations of characters up to 8-10 letters in roughly 15 minutes. So, reverse engineering every single hashed password in your database would require 15 minutes for a skilled hacker, with nothing but a fairly new laptop at his/her disposal. So, your hashed passwords, are ipso facto plain text for a seasoned hacker.

You may also like: The CIA Triad and SSH Brute-Forcing.

Salting to the Rescue, or ...?

Salting implies appending a salt to your users passwords, before hashing them, and storing the hashed results of your users' password combined with your salt into the database. Better still, but if a malicious hacker has gained access to your database, he/she probably also has access to your salt. Hence, individual salts on a per-record basis are a must!

This increases the workload required to create a Rainbow Dictionary by "n", where "n" equals the numbers of passwords you're physically storing. Hence, that 15 minute job, just turned into 15 minutes multiplied by 2 million (registered users) in your database.

Speed

Speed is king, right? When it comes to hashing passwords, this couldn't be further from the truth. Hashing a password using a normal hashing algorithm requires less than 200 CPU cycles. This means that your grandma's laptop can create a Rainbow Dictionary if it knows the salt, with every single possible combination less than 10 characters long in less than 20 minutes, using nothing but a VB script if it wants to.

This allows a hacker to brute force guess your passwords of individual records in less than 15 minutes. Maybe the hacker is targeting a single individual and doesn't care about more than a handful of users? Well, 1 hour of CPU time, burning a simple VB script at maximum speed, and he/she has the passwords of 5 users. Doesn't sound very secure, right...?

BlowFish: the King of Passwords!

However, the whole idea of BlowFish is that it is sloooooooooooooooooooow. So slow, that even NSA's supercomputers, with millions of CPUs, requiring half of Nevada's real estate, and the entire Colorado river to simply cool down, would still spend a trillion years creating a Rainbow Dictionary of all possible permutations less than 10 characters long, on a workload of 20records. OK, now we're talking! Welcome to the club of the Paranoid Schizophrenic mate! Welcome to "the force"!

So, how many years would it require to learn all of this? That's the good parts; Two simple methods in C#, and you are beyond what the CIA, NSA, and FSB could hack, using supercomputers! Voila, I give to you, the Magic of BlowFish!

C#




xxxxxxxxxx
1
21


 
1
/*
2
 * This is C# code, but you can probably find similar one-liners
3
 * in every single major programming language.
4
 */
5
var passwordHash = BCrypt.HashPassword("my password");
6
 
          
7
/*
8
 * Now you can store the "passwordHash" variable in your database ...
9
 */
10
 
          
11
/*
12
 * Checking for a match somewhere else in yur code ...
13
 */
14
BCrypt.Verify("my password", passwordHash);
15
 
          
16
/*
17
 * Seriously, THAT'S IT!!
18
 * Everything you need to know, to make NSA's super computers
19
 * start crying, and have a nervous breakdown, incapable of
20
 * violating your software systems!
21
 */



There's absolutely no reason whatsoever for you to not use it. Use BlowFish, please. I might want to register at your Web site one of these days. And even though I don't use the same passwords "everywhere", my grandma might still do...and I kind of care about my Grandma's bank account.


Further Reading

  • Hashing in Java vs. C++.
  • Java Hashing: From Overriding HashCode to Mutable Objects.
  • Cryptographic Hash Function Menagerie.
security Database

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • What Makes the Architecture of Geo-Distributed Apps Different?
  • An Overview of DTrace and strace
  • API Security Weekly: Issue 171
  • Event Loop in JavaScript

Comments

Security Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo