Passwords & Hashing

Secure systems typically require users to authenticate their identities using a password before granting access. However, it is best practice to not save the actual passwords within the system because that could allow some users to see everyone else's passwords. To avoid this problem, hashes of passwords are stored instead.

A hash is a mapping from the set of all possible passwords to fixed-length values which are represented in hexadecimal (base 16) strings. There are many different cryptographic hash functions used for this purpose. For example, a SHA-256 mapping of the password "password1234" maps to the following hexadecimal string value:

"0xb9c950640e1b3740e98acb93e669c65766f6670dd1609ba91ff41052ba48c6f3"

This hash value is stored instead of the actual password. When users attempt to login with their passwords, the system rehashes those inputs to generate a hexadecimal string which is then compared to the stored hash. If the rehased value from the user matches the stored value, access is granted.

This process is more complicated in practice, but we will use this basic understanding to show how you could break password encryption schemes.

Breaking Passwords

Hackers often break into systems by stealing lists of hashed passwords and then attempting to "break" them by determining which passwords map to those hash values. Mathematically, these type of encryption schemes make it impossible for you to "work backwards."

Given the hash value:

"0xb9a172c2c7028ca0d299cb77ac5e727cf0c28bcf0ab42bb93f45b73c22a06d9a"

you would never be able to find the correct password which maps to this hash because there could be multiple passwords which map to it! However, you can make guesses until you find one that matches.

For example, users tend to use passwords which are common words or sequences of characters like "secret" or "qwerty". These types of passwords are bad choices because they are weak to dictionary attacks. A dictionary attack involves using a common English dictionary or list of known popular passwords as your starting guesses. You then hash every entry in your dictionary and check whether it matches the given hash. If you find a match, then you know the original password!

One approach for defeating this "easy" attack is to require users to create passwords which contain at least one character which is: an uppercase letter, a lowercase letter, a number, and a special symbol. This doesn't prevent anyone from trying to "brute force" every possibility, but it makes it more difficult than if you only had to guess common words.

Demonstration & Exercises

We have provided two demonstrations with the same exercises but using two different languages. Choose either C or Java or do both!

C Version Java Version