The Math of Password Hashing Algorithms and Entropy
10 months ago
- #hashing-algorithms
- #password-security
- #cybersecurity
- Billions of credentials have been leaked or stolen, often including plain text or hashed passwords.
- One-way hashing algorithms like SHA2 convert passwords into fixed-size hashes, making it infeasible to reverse-engineer the original password.
- Attackers use lookup tables (rainbow tables) to map hashes back to plain text passwords, making salts essential for security.
- Salts are random characters added to passwords before hashing, making precomputed lookup tables ineffective.
- Brute force attacks generate all possible password combinations to find a matching hash, with computational time increasing with password complexity.
- Password entropy (complexity and length) significantly impacts the time required for brute force attacks.
- Advanced hashing algorithms like BCrypt, SCrypt, and PBKDF2 slow down hash generation to increase security.
- The security debate centers on whether to enforce long passwords or rely on slow hashing algorithms to protect short passwords.
- FusionAuth uses PBKDF2 with 24,000 iterations as its default hashing scheme, balancing security and performance.