The Dangers of Weak Hashes


A 2013 SANS whitepaper titled “The Dangers of Weak Hashes” by author Kelly Brown, explains how simple hashing doesn’t provide sufficient security and explores the best practices when it comes to hashing.

What is hashing?

A has is a one-way encryption algorithm that can be expressed as-

HashValue = HashFunction(data)

This is no mathematical way or function to retrieve “data” from the “HashValue”.

Problems with Hashing-

1. Collisions – it is possible to find two or more values that compute to the same hash-value. Weaker hashing algorithms have more collisions.

2. Rainbow tables – Rainbow tables mapping values <-> hash-values are publicly available. So if you know the hash-value is “34fkjdfh23h3123” and you know that it maps to “openmyaccount” for a given hashing algorithm, you, in essence, know the password, whenever you see “34fkjdfh23h3123”.

Best Practises for Hashing-

1. Use strong hashing algorithms – SHA2 and above (MD5 and SHA1 should NOT be used)

2. Salt the hashes – use large, random values and mix it up with the password, and then hash it. It is impossible to find a rainbow attack for this hash unless they the hacker knows your longrandom salt value AND your salting algorithm.

3. Encrypt the hash – another level of security can be added by performing a symmetric encryption (using AES) on the hash value.

Reference-

Brown, K. (2013). The Dangers of Weak Hashes. Retrieved from https://www.sans.org/reading-room/whitepapers/authentication/dangers-weak-hashes-34412