Introduction
The rapid growth of the Internet, its availability, and the enormous opportunities it provides to the user have led to the emergence of entire industries in business, science, and education. However, at the same time, this development of capabilities and services brings several new challenges, the most serious of which is the confidentiality of information. Recently, various illegal actions that violate the safety of users, trade secrets, personal data on the network. For example, leaks from LinkedIn, Sony, and many others, have been keeping pace with the development of technology (Significant Cyber Incidents, n.d.). Often, the problem is indicated by the imperfection of the security system; in other cases, the hacking of the NSA or GCHQ encryption is highlighted (Herrera & Ali, 2018). Regardless of the reason, this issue requires detailed consideration and solution.
Password Hash Files
Information leaks are the illegal transfer of confidential information (materials necessary for various companies or the state, citizens’ data), intentional or accidental. Having access to logins and passwords and bank cards and accounts, attackers steal money from citizens, trade secrets, and corporate secrets (Wongwiwatchai, Pongkham & Sripanidkulchai, 2020). They are classified according to data leakage channels, and over the last time, more than 70% have fallen on the network (Brogada, Sison & Medina, 2019). Authentication and identification systems, cryptographic protection systems for disk data, information transmitted over networks, software solutions for managing encryption keys are used to protect the confidentiality.
Authentication and identification tools allow restricting access to network resources. The users are asked for some information known only to them, after which access is opened. The following actions are used to implement this opportunity: biometrics – physiological characteristics of people (fingerprints, an image of the eye’s iris); confidential information – passwords, keys, and many more (Iskhakov et al., 2017). As a result of encryption, each character of the protected information is converted. The essence of encryption is reduced to permutation of characters, substitution, analytical transformations, or gamming.
Cryptographic hash functions, as the most modern form of this technology, are an indispensable and ubiquitous tool used to perform various tasks, including authentication, data integrity checking, file protection, and even malware detection. Many hashing algorithms differ in cryptographic strength, complexity, bit depth, and other properties (Ntantogian, Malliaros & Xenakis, 2019). The most common function of a hash is to store and encrypt passwords on various sites, which has partly proven a relatively reliable and secure mechanism (Filippova, 2021). However, now more and more cases of sufficiently massive personal data leaks have begun to occur, which, from a legal point of view, violates the rights of users of specific resources (Sollars, 2019). Test attacks by NSA on user data provoke the work of security services, which constantly improve systems, adapting them all to new and new attacks. Ultimately, the question only arises about using and disposing of the relevant personal data that fell into the hands of those who encroached on security systems.
Practical Actions
There have been comparatively many important and significant information leaks and privacy frauds lately. However, several relatively simple tools do not exclude constant attentiveness and control over the actions of users on the Internet. First of all, this is a careful check of the privacy settings on each resource visited by the user. The more time a user spends on a given resource or site, the better it is worth studying the privacy policy, which may allow the transmission of their data with the users’ consent.
Web surveillance is one of the top privacy concerns for users. For example, users entering a site using a browser transmits much information about themselves to the site owner. As a result, contextual advertising is then formed, and marketing specialists can make a profile of each specific user (Zadereyko et al., 2021). It is necessary to deal with this problem with the help of a supporter of programs that protect the user’s visit to Internet resources from data collection. The issue is so severe that ITI has long advocated reform of surveillance legislation that will help restore public confidence and strengthen our ability to defend ourselves against economically harmful policies worldwide (ITIC – Surveillance Reform, n.d.). Nevertheless, a large share of the responsibility always lies with the user, who needs to follow specific rules so that he does not have to resort to the help of third-party programs.
Firstly, it is needed to carefully approach the issue of communicating phone numbers, email addresses, and other personal data. In total, this information can provide fraudsters with access to many resources, including financial ones, which can lead to irreparable losses. Secondly, users should use end-to-end encryption of personal information programs and use hash technology to store passwords (Bai et al., 2020). Finally, users should use rather complex passwords for authentication and registration on resources since simple passwords, or instead of their hash representation, have long been studied by fraudsters (Kamal, 2019). In the second part of this work, the algorithms for hashing passwords will be considered in more detail and the questions of why more complex passwords are more reliable.
Security by Hashing
A cryptographic hash function is a particular operation that converts an arbitrary array of data into a fixed-length string of letters and numbers, and this length will remain unchanged, regardless of input data. A hash function can be cryptographically vital only if the main requirements are met. They include resistance to the recovery of hashed data and resistance to collisions, that is, the formation of two identical hash values ​​from two different data arrays. Interestingly, none of the existing algorithms formally falls under these requirements since finding the value inverse to the hash is only a matter of computing power. This type of password storage is more secure since both the resource itself and crackers cannot see the password in its pure form to repeat the user authentication effortlessly; as a result, the security increases.
Hash functions have some properties that directly and indirectly determine their level of security and reliability. The first property is determinism, which means that no matter how many times a particular input is parsed through a hash function, the result will always be the same. Determinism is essential for hashes and one bit that changes in the input to create an entirely different hash. The problem with hashing algorithms is the inevitability of collisions (Hatzivasilis, 2017). That is, the fact that hashes are a fixed-length string means that other possible inputs will result in the same hash for every possible input.
The second property is fast computation, so the hash function must be able to return a hash input quickly. If the process is not fast enough, the system will not be effective. Finally, another property stands out: the complexity of the reverse computation. The complexity of the reverse calculation means that given H (A), it is impossible to determine A, where A is the input data, and H (A) is the hash (Hatzivasilis, 2017). Although it is possible to determine the original data from the hash, the complexity of the reverse calculation should be maximized.
Attacks
Cyber ​​attacks can affect the information space of a computer, which contains information, stores materials of a physical or virtual device. The attack usually affects a storage medium specially designed to store, process, and transmit the user’s personal information (Carter & Johnson, 2020). Users with simple and short passwords are the main targets of brute-force attackers, or in other words, brute-force attacks. This rather simple hacking method often brings results and theoretically allows you to get a password for an account on any service or portal if it is not sufficiently secure (Llewellyn-Jones & Rymer, 2017). The simpler the password, the faster the attack will reach its target. To brute-force passwords, special software is used, which is either created by the cybercriminals themselves, or borrowed by them from their colleagues. Previously compromised computers and servers are often used as capacities.
A client-side attack is based on interaction with a network user or computer that the attackers want to hack. Hackers try to force the user to enter their details on a fake or phishing site. All available methods are used: malicious links, documents, applications, and much more. Even an experienced user cannot always distinguish a phishing site from the original – the copies are pretty believable, and given the rhythm of life, it is tough to notice a minor typo in the site address (Bošnjak, Sreš & Brumen, 2018). Dictionary attacks are carried out on the assumption that most passwords consist of whole words, dates, and numbers taken from a dictionary. Dictionary attack tools require an input vocabulary list. Knowing the password hashing algorithm, it is possible to “guess the password” based on the data from the dictionaries (Hitaj et al., 2019). Other types of hacker attacks on passwords are more indirect.
Another group includes DoS attacks that disable various systems; social engineering, when fraudsters achieve the result using psychological methods, not technological ones; finally, “man in the middle” or complete control of communication in confidential correspondence (Haber, 2020). It is also possible to access the password using these attacks, but there are no direct attacks on the hash.
Salt
The prevalence of simple passwords poses a threat to overall security, since once a hacked hashing algorithm for such a password opens access to all users using it. A hash without salt is very easy to write to a rainbow table. Rainbow tables are a trade-off technique between lookup time and memory usage. They are similar to lookup tables, except they sacrifice the speed of breaking hash codes to make lookup tables smaller. Crackers store many short passwords, along with their hash equivalents, in special forms of information. There are so-called rainbow tables that store these values.
Therefore, salt in this context means an extra string of characters added to or otherwise modifies the hash: for each site, the salt is unique (Jeong, Woo & Cha, 2019). Salt is a tool for protecting and verifying the correctness of each password, therefore, it is usually stored along with the hash. Quite simple algorithms using a random variable to edit the initial hash can protect users and the server from guessing the password through rainbow tables. As a result, the hacker cannot do anything due to the complicated algorithm. Moreover, it is recommended to use a different salt for each password, which almost completely reduces the possibility of such an attack (Farshim & Tessaro, 2021). However, there are times when salt cannot help.
For example, the security is not increased if the server or the site misuses the salt. Short salt and its reuse, coupled with the combination of functions of encryption methods, do not lead to the desired results and only slightly slow down the activities of fraudsters (Khowfa & Silasai, 2019). In this regard, the salt must be used uniquely for a different resource and each password, user. To generate the salt, a cryptographically secure pseudo-random number and symbol generator should be used. One of the main challenges for the future development of hashing is to find a balance between slow performance to protect against attacks and performance for user comfort.
Conclusion
In comparison with simple ones, more complex passwords have a hash, as a rule, not entered in rainbow tables. As a consequence, the presence of such passwords excludes the possibility of a particular group of attacks. The use of salt leaves almost no chance of breaking such a password at all. As a result, the joint efforts of the user and the developer on the resource side can provide a sufficiently high level of security and privacy on the network.
Reference List
Bai, W., et al. (2020) “Improving non-experts’ understanding of end-to-end encryption: an exploratory study” in 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 210-219). IEEE.
Bošnjak, L., Sreš, J., & Brumen, B. (2018) “Brute-force and dictionary attack on hashed real-world passwords”, in 2018 41st international convention on information and communication technology, electronics and microelectronics (mipro) (pp. 1161-1166). IEEE.
Brogada, M. A. D., Sison, A. M., & Medina, R. P. (2019) “Cryptanalysis on the Head and Tail Technique for Hashing Passwords” in 2019 IEEE 7th Conference on Systems, Process and Control (ICSPC) (pp. 137-142). IEEE.
Carter, A. D., & Johnson, R. A. (2020) “Slow Hashing Speed as a Protection for Weak Passwords”, International Journal of Advanced Engineering and Science, 9(1), pp. 1-8.
Farshim, P., & Tessaro, S. (2021) “Password Hashing and Preprocessing”, in Annual International Conference on the Theory and Applications of Cryptographic Techniques (pp. 64-91). Springer, Cham.
Filippova, A. (2021) “Current security issues in the information society” in SHS Web of Conferences (Vol. 109, p. 01014). EDP Sciences.
Haber, M. J. (2020) “Attack Vectors” in Privileged Attack Vectors (pp. 65-85). Apress, Berkeley, CA.
Hatzivasilis, G. (2017) “Password-hashing status”, Cryptography, 1(2), pp. 1-10.
Herrera, J., & Ali, M. L. (2018) “Concerns and Security for Hashing Passwords” in 2018 9th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON) (pp. 861-865). IEEE.
Hitaj, B., et al. (2019) “Passgan: A deep learning approach for password guessing” in International Conference on Applied Cryptography and Network Security (pp. 217-237). Springer, Cham.
Iskhakov, A., et al. (2017) “Increase in security of authentication services through additional identification using optimal feature space” in Proceedings of the IV International research conference “Information technologies in Science, Management, Social sphere and Medicine”(ITSMSSM) (pp. 443-446).
ITIC – Surveillance Reform(n.d.)
Jeong, J., Woo, D., & Cha, Y. (2019) “Enhancement of website password security by using access log-based salt”, in 2019 International Conference on Systems of Collaboration Big Data, Internet of Things & Security (SysCoBIoTS) (pp. 1-3). IEEE.
Kamal, P. (2019) “Security of Password Hashing in Cloud”, Journal of Information Security, 10(02), pp. 44-45.
Khowfa, W., & Silasai, O. (2019) “The Efficiency of using Salt Against Password Attacking”, Journal of Southern Technology, 12(1), pp. 217-227.
Llewellyn-Jones, D., & Rymer, G. (2017) “Cracking pwdhash: A bruteforce attack on client-side password hashing” in Proceedings of the 11th International Conference on Passwords (Passwords). Springer-Verlag, Cham, Switzerland.
Ntantogian, C., Malliaros, S., & Xenakis, C. (2019) “Evaluation of password hashing schemes in open source web platforms”, Computers & Security, 84, pp. 206-224.
Significant Cyber Incidents(n.d.)
Sollars, M. (2019) “IoT security: could careless talk cost livelihoods?”, Computer Fraud & Security, 2019(5), pp. 12-15.
Wongwiwatchai, N., Pongkham, P., & Sripanidkulchai, K. (2020) “Comprehensive detection of vulnerable personal information leaks in android applications” in IEEE INFOCOM 2020-IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS) (pp. 121-126). IEEE.
Zadereyko, A., et al. (2021) “Development of an Algorithm to Protect User Communication Devices Against Data Leaks”, Eastern-European Journal of Enterprise Technologies, 1(2), pp. 109-110.