Cryptography: A Quantitative Analysis of the Effectiveness of Various Password Storage Techniques

Authors

  • Rohan Patra Dougherty Valley High School
  • Sandip Patra Mentor

DOI:

https://doi.org/10.47611/jsrhs.v10i3.1764

Keywords:

password, hashing, data, security, authentication, sha-256, bcrypt, md5, salting, performance, hash decryption, cryptography, computer science, cybersecurity, data breaches, data breach

Abstract

Recently, there has been a rise in impactful data breaches releasing billions of people’s online accounts and financial data into the public domain. The result is an increased importance of effective cybersecurity measures, especially regarding the storage of user passwords. Strong password storage security means that an actor cannot use the passwords in vectors such as credential-stuffing attacks despite having access to breached data. It will also limit user exposure to threats such as unauthorized account charges or account takeovers. This research evaluates the effectiveness of different password storage techniques. The storage techniques to be tested are: BCRYPT Hashing, SHA-256 Hashing, SHA-256 with Salt, and SHA-256 with MD5 Chaining. Following the National Institute of Standards and Technology (NIST) guidelines on password strength, both a weak and robust password will be passed through the stated techniques. Reversal of each of the results will be attempted using Rainbow Tables and dictionary attacks. The study results show that pairing a strong password that has not been exposed in a data breach with the BCRYPT hashing algorithm results in the most robust password security. However, SHA-256 hashing with a salt results in a very similar level of security while maintaining better performance. While plain SHA-256 hashing or chaining multiple hashing algorithms together is theoretically as secure, in practice, they are easily susceptible to simple attacks and thus should not be used in a production environment. Requiring strong password which have not been exposed in previous data breaches was also found to greatly increase security.

Downloads

Download data is not yet available.

References or Bibliography

Arias, D. & Auth0. (2019, September 30). Hashing Passwords: One-Way Road to Security. Auth0 - Blog. https://auth0.com/blog/hashing-passwords-one-way-road-to-security/

BlueCode Hash Finder (9.3). (2020). [Computer software]. BlueCode Team. https://bluecode.info/

Bonneau, J., Herley, C., Oorschot, P. C. V., & Stajano, F. (2012). The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes. 2012 IEEE Symposium on Security and Privacy. Published. https://doi.org/10.1109/sp.2012.44

Cloudflare, Inc. (n.d.). What is encryption? Cloudflare. Retrieved May 15, 2021, from https://www.cloudflare.com/learning/ssl/what-is-encryption/

CrackStation. (2019, June 5). Secure Salted Password Hashing - How to do it Properly. https://crackstation.net/hashing-security.htm

Grassi, P. A., Fenton, J. L., Newton, E. M., Perlner, R. A., Regenscheid, A. R., Burr, W. E., Richer, J. P., Lefkovitz, N. B., Danker, J. M., Choong, Y. Y., Greene, K. K., & Theofanos, M. F. (2017). Digital identity guidelines: authentication and lifecycle management. Digital Identity Guidelines. Published. https://doi.org/10.6028/nist.sp.800-63b

Guide to Cryptography - OWASP. (2018, June 13). In Open Web Application Security Project. https://wiki.owasp.org/index.php/Guide_to_Cryptography

N-able. (2021, April 1). SHA-256 Algorithm Overview. https://www.n-able.com/blog/sha-256-encryption

Patra, R. (n.d.). BreachDirectory - Check If Your Email or Username was Compromised. BreachDirectory - PASSCHECK. Retrieved May 29, 2021, from https://breachdirectory.tk/passwords

Python Software Foundation. (2021, May 24). Welcome to Python.org. Python.Org. https://www.python.org/

Selinger, P. (2006, February). MD5 Collision Demo. Dalhousie University. https://www.mscs.dal.ca/~selinger/md5collision/

weakpass_2a. (2017). Weakpass. https://weakpass.com/wordlist/1919

Wiedenbeck, S., Waters, J., Birget, J. C., Brodskiy, A., & Memon, N. (2005). Authentication using graphical passwords. Proceedings of the 2005 Symposium on Usable Privacy and Security - SOUPS ’05. Published. https://doi.org/10.1145/1073001.1073002

Published

10-10-2021

How to Cite

Patra, R., & Patra, S. (2021). Cryptography: A Quantitative Analysis of the Effectiveness of Various Password Storage Techniques. Journal of Student Research, 10(3). https://doi.org/10.47611/jsrhs.v10i3.1764

Issue

Vol. 10 No. 3 (2021)

Section

HS Research Projects

Copyright (c) 2021 Rohan Patra; Sandip Patra

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Copyright holder(s) granted JSR a perpetual, non-exclusive license to distriute & display this article.