2.4 Password Security − Authentification usings Passwords

This video belongs to the openHPI course Digital Identities. Do you want to see more?

2.4 Password Security − Authentification usings Passwords

Time effort: approx. 20 minutes

An error occurred while loading the video player, or it takes a long time to initialize. You can try clearing your browser cache. Please try again later and contact the helpdesk if the problem persists.

Scroll to current position

00:00Now we want to have a closer look to password security
00:03and authentication by means of passwords in our openHPI course about digital identities.
00:12We already discussed this. This is a very popular method
00:16to bind a digital identity to a user by means of a password authentication.
00:25And the idea is simple. The user proves that the
00:31digital identity belongs to him
00:34by means of inputting, entering the correct password.
00:39This is an authentication by knowledge. The password needs to hold a secret
00:44and in this way the service provider trusts that it is a real user
00:50that belongs to that digital identity because he knows the correct password.
00:56So the online service interface of authentication checks the correctness
01:01of the password by comparing it with the information
01:05that was collected during the registration
01:08when the digital identity of the user was established and
01:13the service can check this simply by checking
01:18his data, user database and comparing the password which was typed in
01:25with the password that was stored.
01:27And if those match then the user is given access to the service,
01:32the user can use the resources of the service
01:35and all the authentication relates to the digital identity which
01:42is secured by that password.
01:45Passwords are stored in user databases, should never be stored in plaintext.
01:52We already discussed this, they should be stored in a distinguished form
01:58so that neither the employees of the service nor other
02:03persons that get access to the customer database can understand the password.
02:08So a cryptographic hash function
02:12that is applied to the password and the hash value of this password that is what
02:18typically is stored in the database of the service. So if we
02:23look on this authentication process which is based on passwords,
02:28here we have our customer who wants to use the service and
02:36enters the password. Then the password is sent in plaintext to
02:42the server, to the service provider.
02:45The website sends the password together with the user name
02:49to the online service
02:53or the identity provider of the online service and then the service compares
03:00the data with what is stored in his database.
03:04In his database typically it is stored, password is stored in a hashed form.
03:10So here the input password also is hashed and then the two hash values
03:17are compared.
03:19What is here vulnerability?
03:24Vulnerability, of course is
03:27to give in the password which is available in plaintext.
03:33When the provider would store a password
03:36in plaintext, not in a hashed form as it
03:42should be done in the user database,
03:46then the people that have access to the database
03:53illegally as attackers or legally as a service provider, can see
03:59the password and in that way it's easy to use the digital identity.
04:06So if cybercriminals succeed in accessing the IT system of
04:11the online service via the internet, if they succeed in being able to download
04:17the user database with all the passwords and if the passwords are
04:23stored in plaintext then the attacker has access to all the passwords
04:30in plaintext.
04:32Even if the attacker only gets this database with the hashed passwords,
04:39then it is very dangerous for the users of the services.
04:44Because the attacker
04:46can, we will discuss this later, they can access
04:50via the passwords to the online service
04:54via the stolen passwords to the online service and can misuse the digital identities.
05:00So the attacker can try to use the same or slightly modified
05:05user name password combinations also with other services. With other service
05:10the database was not stolen and why it's successful? Yeah,
05:15because many people use different services
05:19with the same password or only with a slightly modified password.
05:25So user usually know nothing
05:29about the theft of the identity data So they trust that all works fine,
05:35but in reality if an attacker succeed in stealing the password
05:41database, the customer database from one service,
05:45it is highly probable that the attacker is also able
05:49to get access via this digital identity to other services.
05:55So here are the question how
06:01passwords can be stored in a secure way.
06:04I already started to discuss about hash value. So the
06:10professional way to store a password outside of the service provider
06:16is to store it in a cryptographic encrypted form.
06:21And what is the cryptographic methods that are needed, that are applied
06:27to encrypt passwords are hash methods.
06:32So the hashing that's a kind of concealment.
06:36And as a hash function, the hash method transforms the password
06:42in a string that looks very curious and gives no possibility to
06:49get information about the password and this hash value typically
06:54is a string of a fixed length.
06:58But our experience with the HPI Identity Leak Checker, I already
07:03introduced this where we help people to find out whether their digital identities
07:09are published, are stolen and openly published in the internet,
07:16we find that one third of the twelve billion identity data sets
07:23we have collected, one third of them, about four billion,
07:28password is in plaintext.
07:31It's not in the hash value, it's in plaintext.
07:35The two third hash methods are applied which are
07:39outdated and only one third of the passwords are stored
07:45are hashed in a correct way and stored in a correct way.
07:49So this is really a disaster and
07:55for that reason, it's so important that you check from time to time
08:00whether your identity is stolen and published
08:06because sometimes the password is, in this
08:11digital identity, the password is accessible in plaintext.
08:19To speak about the hashing,
08:22let's have a closer look at how it works.
08:26So the idea is to hide the mean of a password.
08:32So to only make it a string of
08:36symbols which looks random. And this is what the cryptographic
08:41hash functions are doing. A hash function transforms
08:46a password into a ciphertext
08:51into a hash value of a fixed length. So for example here
08:55the password u/3a and so on
08:59is hashed by the hash function with the name MD5, it's
09:04a special hash function, in that form in that string and you see
09:10from that string you cannot get any information about the password itself.
09:18The hash functions are designed, the cryptographic hash function are designed
09:23exactly for that purpose. They are designed in such a way that it's practically
09:30impossible, it is possible but it needs centuries
09:35to compute it, so that it's practically impossible to recover the original password
09:42out from the hash value.
09:45Mathematically we speak about one-way functions. The one way
09:48it's easy from the plaintext to the hash functions the computation is easy,
09:53but from the hash function it's not possible to
09:57conclude on the password.
10:01The commonly used hash functions for password hash
10:04are MD5 and SHA1, but both are meanwhile considered unsecure
10:11because they are reversible with the computational power of the reason computers.
10:17So what years ago needed centuries, nowadays with the modern computer
10:22can be done in minutes.
10:26The hashing methods which are
10:29more secure and should be applied is SHA2, SHA3 and bcrypt.
10:39Let's look how the validation process works with such a hashed
10:45password. So, user wants to use a service and enters his or her
10:53password. Then the password is received from the database, here
10:59is a user and the database. So the user gets access to this hash value
11:06of the password. So what now is done on the side of
11:11the service that the received clear text password
11:16is hashed, in this case, is short hashed with the MD5 hash
11:21function into that string
11:24and then the service provider can check whether John123 really
11:32is the right username for the password and now here
11:39the service has a hash value and compares the hash value with
11:43the hash value that was stored
11:46of the password and if they are equal then
11:51login is successful otherwise login failed.
11:56This is the procedure. The password is sent in clear text and on the service side, it is
12:02computed, the hash value of the password is computed and
12:05then in the user database it is checked whether the combination username and
12:12hash value of the password
12:14belong to each other and if yes then login the binding
12:22of the digital identity to the user is finished, positively
12:26finished otherwise it's confused.
12:30There is one remark and one problem we want to
12:35show how service providers deal with that
12:39password that it's hiding by hashing has some weak
12:46spots. For example we have two users
12:49and in large services that is very likely we have two users
12:56which have the same password.
12:59And when they use the same passwords then of course the hash value
13:03of the same password
13:06is the same. So we have two different users with
13:10the same password in the same password hash.
13:14So the computation of the hash value will not help to distinguish
13:19between these two users. So for example this can happen
13:23for users with the same passwords or when they have the same name or others
13:30that they have the same hash value stored in the database.
13:36So when an attacker knows from one user's password
13:41then he knows also the password of all users
13:47which are using the same password which have the same hash value.
13:53So if an attacker
13:56succeeds in stealing user database
14:03and he finds out many users with the same hash value
14:08and he gets knowledge from one of the user's plaintext password,
14:15then the attacker can immediately
14:19misuse all the other digital identities that are using the same password.
14:27So the hash for example can be guessed
14:32by hashing our words in a dictionary, so, because many users use
14:38simple words and when the attacker computes a hash value, he can
14:43detect agreement between the computation results and
14:49what is stored in the database and then he knows the password.
14:58So to make this, to prevent such a situation,
15:04there is the idea to use hash functions and to compute hash functions
15:10by means of Salt, by means of additional information.
15:14So the same password is disguised differently every time
15:22is disguised every time
15:26by the following idea. Before the hash value of the password is calculated,
15:31the password is extended by a random string.
15:35The random string is called Salt.
15:38So the hash function, in our example the MD5 hash function,
15:42is not only applied to the password itself, but it's applied to the password
15:49that is extended by the Salt.
15:51And the Salt is a random string. So if another user with the same password comes
15:57then by the selection, by the random selection of the string,
16:02the password is in another way extended and has another hash value
16:08than the password for the first user.
16:12So then of course the
16:15service provider in its database has to remember the Salt.
16:21So we have our user A and B which are using the same passwor. This is possible
16:26in plaintext and then here in case of user A, the password is
16:35prolonged by these three
16:41characters and for the other one it's extended by this three
16:46password and in the result these two
16:49hash values differ.
16:52And it's no more easy for the attacker
16:58from knowing one password to being able to misuse all the digital
17:03identities that belong to users which use the same password.
17:09Let's summarize what we have discussed.
17:12The password authentication is
17:15an authentication through knowledge. Password is a secret and the user
17:21knows a secret and in this way the service provider trusts
17:25that this is the right person and
17:28which belongs to that digital identity.
17:32So when the correct password is entered the user proves
17:36that a digital identity belongs to him. So online service
17:40does not store the password
17:44in a right, in the plaintext but it stores it in a hashed value.
17:51And the online service uses the password, the password that it is first time
17:57stored when the user register with the service
18:02and when the user later want to use the service, the online service checks
18:07whether the user knows the password and for that reason the
18:12service has to store the password on his side.
18:17But the user service is
18:20advised not to store the password in plaintext.
18:23The service is advised to do this in a
18:27disguised form as a password hash,
18:31how we discussed it. And to increase the security,
18:36that only secure hash methods
18:41should be applied on one side and second the password should be
18:46extended by Salt, so that the
18:50password concealment also works for the same password.
18:57So in this way, authentication using passwords is very important
19:02and to understand this and in later
19:07videos we will see how users try to attack such password based
19:15digital identities.