DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

Mobile Database Essentials: Assess data needs, storage requirements, and more when leveraging databases for cloud and edge applications.

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • Oracle Maximum Security Architecture
  • Application Mapping: 5 Key Benefits for Software Projects
  • Microsoft Azure Backup Service
  • DZone Community Awards 2022

Trending

  • Securing Your Applications With Spring Security
  • Extracting Maximum Value From Logs
  • Build Quicker With Zipper: Building a Ping Pong Ranking App Using TypeScript Functions
  • The API-Centric Revolution: Decoding Data Integration in the Age of Microservices and Cloud Computing
  1. DZone
  2. Data Engineering
  3. Databases
  4. BlowFish, the Only Way to Secure Your Passwords

BlowFish, the Only Way to Secure Your Passwords

Thomas Hansen user avatar by
Thomas Hansen
CORE ·
Feb. 11, 20 · Tutorial
Like (4)
Save
Tweet
Share
9.40K Views

Join the DZone community and get the full member experience.

Join For Free

I work in ForEx, one of the largest markets in the world, averaging 5.1 trillion dollars worth of trades on a daily basis. My employer also happens to be one of the largest brokers in the world, and I am a technical project lead for one of their main applications. In other words, the software my team and I work on is responsible for moving billions of dollars on a daily basis.

Being a paranoid schizophrenic is arguably a prerequisite for my job; if I fail at securing data, civilization as we know it might cease to exist. Hence, I'll try to teach you in this article how you can secure your passwords — with brute force guarantee. I present to you, a fishing trip, fishing for BlowFish.

Blowfish in ocean

Cute little fellow, isn't he?

Hashing Your Passwords

Storing your passwords in plain text is pure madness. If you currently do this, please unplug all of your servers and voluntarily commit yourself to unemployment or, alternatively, flipping burgers at McDonald's or something. Hashing your passwords gives a guarantee for your clients, simply because human beings are simple, and they'll often use the same password at Facebook as they use for their internet banking.

Therefore, if a black hat hacker can get to your database, he/she can also probably break into all of your clients' bank accounts. So, regardless of how "innocent" your app is, the way you store your passwords might have repercussions to far larger things than "your app..."

OK, so we've gotten this far without having a nervous breakdown, and you're already hashing your passwords. Let me teach you a new concept: Rainbow Dictionary Attacks!

A Rainbow Dictionary Attack implies taking all possible combinations of letters, numbers, and special characters, hashing them into a database, and then using them to "diff" this database towards another database. Using a simple brute force, an average laptop can compute every single combinations of characters up to 8-10 letters in roughly 15 minutes. So, reverse engineering every single hashed password in your database would require 15 minutes for a skilled hacker, with nothing but a fairly new laptop at his/her disposal. So, your hashed passwords, are ipso facto plain text for a seasoned hacker.

You may also like: The CIA Triad and SSH Brute-Forcing.

Salting to the Rescue, or ...?

Salting implies appending a salt to your users passwords, before hashing them, and storing the hashed results of your users' password combined with your salt into the database. Better still, but if a malicious hacker has gained access to your database, he/she probably also has access to your salt. Hence, individual salts on a per-record basis are a must!

This increases the workload required to create a Rainbow Dictionary by "n", where "n" equals the numbers of passwords you're physically storing. Hence, that 15 minute job, just turned into 15 minutes multiplied by 2 million (registered users) in your database.

Speed

Speed is king, right? When it comes to hashing passwords, this couldn't be further from the truth. Hashing a password using a normal hashing algorithm requires less than 200 CPU cycles. This means that your grandma's laptop can create a Rainbow Dictionary if it knows the salt, with every single possible combination less than 10 characters long in less than 20 minutes, using nothing but a VB script if it wants to.

This allows a hacker to brute force guess your passwords of individual records in less than 15 minutes. Maybe the hacker is targeting a single individual and doesn't care about more than a handful of users? Well, 1 hour of CPU time, burning a simple VB script at maximum speed, and he/she has the passwords of 5 users. Doesn't sound very secure, right...?

BlowFish: the King of Passwords!

However, the whole idea of BlowFish is that it is sloooooooooooooooooooow. So slow, that even NSA's supercomputers, with millions of CPUs, requiring half of Nevada's real estate, and the entire Colorado river to simply cool down, would still spend a trillion years creating a Rainbow Dictionary of all possible permutations less than 10 characters long, on a workload of 20records. OK, now we're talking! Welcome to the club of the Paranoid Schizophrenic mate! Welcome to "the force"!

So, how many years would it require to learn all of this? That's the good parts; Two simple methods in C#, and you are beyond what the CIA, NSA, and FSB could hack, using supercomputers! Voila, I give to you, the Magic of BlowFish!

C#




xxxxxxxxxx
1
21


 
1
/*
2
 * This is C# code, but you can probably find similar one-liners
3
 * in every single major programming language.
4
 */
5
var passwordHash = BCrypt.HashPassword("my password");
6
 
          
7
/*
8
 * Now you can store the "passwordHash" variable in your database ...
9
 */
10
 
          
11
/*
12
 * Checking for a match somewhere else in yur code ...
13
 */
14
BCrypt.Verify("my password", passwordHash);
15
 
          
16
/*
17
 * Seriously, THAT'S IT!!
18
 * Everything you need to know, to make NSA's super computers
19
 * start crying, and have a nervous breakdown, incapable of
20
 * violating your software systems!
21
 */



There's absolutely no reason whatsoever for you to not use it. Use BlowFish, please. I might want to register at your Web site one of these days. And even though I don't use the same passwords "everywhere", my grandma might still do...and I kind of care about my Grandma's bank account.


Further Reading

  • Hashing in Java vs. C++.
  • Java Hashing: From Overriding HashCode to Mutable Objects.
  • Cryptographic Hash Function Menagerie.
security Database

Opinions expressed by DZone contributors are their own.

Related

  • Oracle Maximum Security Architecture
  • Application Mapping: 5 Key Benefits for Software Projects
  • Microsoft Azure Backup Service
  • DZone Community Awards 2022

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends: