BlowFish, the Only Way to Secure Your Passwords

I work in ForEx, one of the largest markets in the world, averaging 5.1 trillion dollars worth of trades on a daily basis. My employer also happens to be one of the largest brokers in the world, and I am a technical project lead for one of their main applications. In other words, the software my team and I work on is responsible for moving billions of dollars on a daily basis.

Being a paranoid schizophrenic is arguably a prerequisite for my job; if I fail at securing data, civilization as we know it might cease to exist. Hence, I'll try to teach you in this article how you can secure your passwords — with brute force guarantee. I present to you, a fishing trip, fishing for BlowFish.

Hashing Your Passwords

Storing your passwords in plain text is pure madness. If you currently do this, please unplug all of your servers and voluntarily commit yourself to unemployment or, alternatively, flipping burgers at McDonald's or something. Hashing your passwords gives a guarantee for your clients, simply because human beings are simple, and they'll often use the same password at Facebook as they use for their internet banking.

Therefore, if a black hat hacker can get to your database, he/she can also probably break into all of your clients' bank accounts. So, regardless of how "innocent" your app is, the way you store your passwords might have repercussions to far larger things than "your app..."

OK, so we've gotten this far without having a nervous breakdown, and you're already hashing your passwords. Let me teach you a new concept: Rainbow Dictionary Attacks!

A Rainbow Dictionary Attack implies taking all possible combinations of letters, numbers, and special characters, hashing them into a database, and then using them to "diff" this database towards another database. Using a simple brute force, an average laptop can compute every single combinations of characters up to 8-10 letters in roughly 15 minutes. So, reverse engineering every single hashed password in your database would require 15 minutes for a skilled hacker, with nothing but a fairly new laptop at his/her disposal. So, your hashed passwords, are ipso facto plain text for a seasoned hacker.

You may also like: The CIA Triad and SSH Brute-Forcing.

Salting to the Rescue, or ...?

Salting implies appending a salt to your users passwords, before hashing them, and storing the hashed results of your users' password combined with your salt into the database. Better still, but if a malicious hacker has gained access to your database, he/she probably also has access to your salt. Hence, individual salts on a per-record basis are a must!

This increases the workload required to create a Rainbow Dictionary by "n", where "n" equals the numbers of passwords you're physically storing. Hence, that 15 minute job, just turned into 15 minutes multiplied by 2 million (registered users) in your database.

Speed

Speed is king, right? When it comes to hashing passwords, this couldn't be further from the truth. Hashing a password using a normal hashing algorithm requires less than 200 CPU cycles. This means that your grandma's laptop can create a Rainbow Dictionary if it knows the salt, with every single possible combination less than 10 characters long in less than 20 minutes, using nothing but a VB script if it wants to.

This allows a hacker to brute force guess your passwords of individual records in less than 15 minutes. Maybe the hacker is targeting a single individual and doesn't care about more than a handful of users? Well, 1 hour of CPU time, burning a simple VB script at maximum speed, and he/she has the passwords of 5 users. Doesn't sound very secure, right...?

BlowFish: the King of Passwords!

However, the whole idea of BlowFish is that it is sloooooooooooooooooooow. So slow, that even NSA's supercomputers, with millions of CPUs, requiring half of Nevada's real estate, and the entire Colorado river to simply cool down, would still spend a trillion years creating a Rainbow Dictionary of all possible permutations less than 10 characters long, on a workload of 20records. OK, now we're talking! Welcome to the club of the Paranoid Schizophrenic mate! Welcome to "the force"!

So, how many years would it require to learn all of this? That's the good parts; Two simple methods in C#, and you are beyond what the CIA, NSA, and FSB could hack, using supercomputers! Voila, I give to you, the Magic of BlowFish!

xxxxxxxxxx

/*

 * This is C# code, but you can probably find similar one-liners

 * in every single major programming language.

 */

var passwordHash = BCrypt.HashPassword("my password");

/*

 * Now you can store the "passwordHash" variable in your database ...

 */

/*

 * Checking for a match somewhere else in yur code ...

 */

BCrypt.Verify("my password", passwordHash);

/*

 * Seriously, THAT'S IT!!

 * Everything you need to know, to make NSA's super computers

 * start crying, and have a nervous breakdown, incapable of

 * violating your software systems!

 */

There's absolutely no reason whatsoever for you to not use it. Use BlowFish, please. I might want to register at your Web site one of these days. And even though I don't use the same passwords "everywhere", my grandma might still do...and I kind of care about my Grandma's bank account.

Further Reading

• Hashing in Java vs. C++.
• Java Hashing: From Overriding HashCode to Mutable Objects.
• Cryptographic Hash Function Menagerie.