Evolution and State of the Art in Password Storage

Year 2023, Volume: 4 Issue: 3, 37 - 44, 27.12.2023

Tuğberk Kocatekin

https://doi.org/10.53608/estudambilisim.1318760

Abstract

Passwords have historically been pivotal for access control and authentication, yet their security remains a recurring concern in today’s digital world. As evidenced by high-profile data breaches, secure password storage has always been paramount, but often not achieved. While users grapple with the creation of strong, memorable passwords, the burden also falls on service providers to store these passwords securely. Even though alternative authentication mechanisms have emerged, password-based authentication remains pervasive. Surprisingly, studies highlight that developers frequently exhibit misconceptions or negligence towards password storage security. This paper traces the progression of password storage methods by explaining four password hashing methods. By informing of four modern password storage systems, this work seeks to bridge the knowledge gap, advocating for better practices and illuminating the significance of prioritizing security alongside functionality.

Keywords

hashing, salting, passwords, key derivation functions

Parola Saklama Tekniklerinin Evrimi ve Güncel En İyi Uygulamaları

Abstract

Parolalar tarihsel olarak erişim kontrolü ve kimlik doğrulama için kilit bir öneme sahip olmuşlarsa da, güvenlikleri bugünün dijital dünyasında tekrar eden bir endişe olarak kalmaktadır. Yüksek profilli veri ihlalleri ve güvenlik açıklarıyla kanıtlandığı gibi, güvenli parola saklama her zaman en üst düzeyde önemli olmasına rağmen, genellikle başarılı olunamamıştır. Kullanıcılar güçlü ve akılda kalıcı parolalar oluşturma konusunda uğraşırken, parolaların güvenli bir şekilde saklama sorumluluğu da hizmet sağlayıcılara düşmektedir. Alternatif kimlik doğrulama mekanizmaları ortaya çıkmış olmasına rağmen, parola tabanlı kimlik doğrulama yaygın olarak kullanılmaya devam etmektedir. Araştırmalar, yazılım geliştiricilerin parola saklama güvenliği konusunda yanılgılara ya da ihmalkarlığa düştüğünü göstermektedir. Bu makale, Crypt ile başlayıp Parola Özetleme Yarışması’nın kazananı Argon2d’de son bulan parola saklama yöntemlerinin ilerleyişini izlemektedir. Dört adet modern parola saklama sistemleri hakkında bilgi vererek bu bilgi boşluğunu kapatmayı, daha iyi uygulamalar için savunma yapmayı ve güvenliği işlevsellikle birlikte önceliklendirme önemini aydınlatmaya çalışmaktadır.

Keywords

özetleme, tuzlama, anahtar türetme fonksiyonları, şifreler

References

• Morris, R., Thompson, K. 1979. Password Security: A Case History, Communications of the ACM, 22( 11), 594-597.
• Goode, S., Hoehle, H., Venkatesh, V., Brown, SA. 2017. User Compensation as a Data Breach Recovery Action, MIS Quarterly, 41, 703–A16.
• Gibson, B., Townes, S., Lewis, D., Bhunia, S. 2021. Vulnerability in Massive Api Scraping: 2021 linkedin data breach, 2021 International Conference on Computational Science and Computational Intelligence (CSCI).
• webteknohaber. 2021. Yemeksepeti Hacklendi: Kullanıcıların Hesap Bilgileri Ele Geçirildi, 27 Mart 2021. Available: https://www.webtekno.com/yemeksepeti-kullanici-veri-tabani-siber-saldiri-h108027.html.
• Hachman, M. 2011. PlayStation Hack to Cost Sony $171M; Quake Costs Far Higher, 23 May 2011. [Çevrimiçi]. Available: https://news.yahoo.com/playstation-hack-cost-sony-171m-quake-costs-far-163824525.html?guccounter=1.
• Sherr, I., Wingfield, N. 2011. Play by Play: Sony's Struggles on Breach, 7 May 2011. [Çevrimiçi]. Available: https://www.wsj.com/articles/SB10001424052748704810504576307322759299038.
• Hatzivasilis, G. 2020. Password Management: How Secure Is Your Login Process?, International Workshop on Model-Driven Simulation and Training Environments for Cybersecurity.
• Yang, X.-L., Lo, D., Xia, X., Wan, Z.-Y., Sun, J.-L. 2016. What Security Questions Do Developers Ask? A Large-Scale Study of Stack Overflow Posts, Journal of Computer Science and Technology, 31, 910–924.
• Hallett, J. , Patnaik, N., Shreeve, B., Rashid, A. 2021. “Do this! Do that!, And Nothing Will Happen” Do Specifications Lead to Securely Stored Passwords?, 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE).
• Van Der Linden, D., Anthonysamy, P., Nuseibeh, B., Tun, T. T., Petre, M., Levine, M., Towse, J., Rashid, A. 2020. Schrödinger's Security: Opening the Box on App Developers' Security Rationale, Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, 2020.
• Naiakshina, A., Danilova, A., Tiefenau, C. , Herzog, M., Dechand, M., Smith, M. 2017. Why do Developers Get Password Storage Wrong? A Qualitative Usability Study, Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017.
• Naiakshina, A., Danilova, A., Gerlitz, E., Von Zezschwitz, E., Smith, M. 2019. If You Want, I Can Store The Encrypted Password a Password-Storage Field Study with Freelance Developers, Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, 2019.
• Christoforos Ntantogian, S. M. C. X. 2019. Evaluation of Password Hashing Schemes in Open Source Web Platforms, Computers & Security, 206-24.
• Raza, M., Iqbal, M., Sharif, M., Haider, W. 2012. A survey Of Password Attacks and Comparative Analysis on Methods for Secure Authentication, World Applied Sciences Journal ,19(4), 439-444.
• Kyaw, A. K., Sioquim, F., Joseph, J. 2015. Dictionary attack on Wordpress: Security and Forensic Analysis, 2015 Second International Conference on Information Security and Cyber Forensics (InfoSec), Cape Town, 2015.
• Bošnjak, L., Sreš, J., Brumen, B. 2018. Brute-force and Dictionary Attack On Hashed Real-World Passwords, 2018 41st İnternational Convention on Information and Communication Technology, Electronics And Microelectronics (Mipro), Opatija, 2018.
• Zviran, M., Haga, W. J. 1999. Password Security: an Empirical Study, Journal of Management Information Systems, 15(4), 161-185.
• Matt Weir, S. A. B. d. M. B. G. 2009. Password Cracking Using Probabilistic Context-Free Grammars, 30th IEEE Symposium on Security and Privacy, 2009.
• Arvin Narayanan, V. S. 2005. Fast Dictionary Attacks on Passwords Using TimeSpace Tradeoff, Proceedings of the 12th ACM Conference on Computer and Communications Security, Virginia, 2005.
• Marechal, S. 2012. Automatic Mangling Rules Generation, December 2012. [Çevrimiçi]. Available: https://www.openwall.com/presentations/Passwords12-Mangling-Rules-Generation/Passwords12-Mangling-Rules-Generation.pdf. [Erişildi: 25 09 2023].
• Briland, H., Paolo, G., Giuseppe, A., Fernando, P.-C.2017. PassGAN: A Deep Learning Approach for Password Guessing, CoRR, 2017.
• Josef Horálek, F. H. O. H. L. P. V. S. 2017. Analysis of the Use of Rainbow Tables to Break Hash, Journal of Intelligent & Fuzzy Systems, 1523-1534.
• Katz, J., Lindell, Y. 2020. Introduction to Modern Cryptography, CRC press, 2020.
• Merkle, R. C. 1987. A Digital Signature Based on a Conventional Encryption Function, Conference on the theory and application of cryptographic techniques.
• Krawczyk, H., Bellare, M., Canetti, R. 1997. HMAC: Keyed-hashing for Message Authentication.
• Oostveen, J., Kalker, T., Haitsma, J. 2002. Feature Extraction and A Database Strategy for Video Fingerprinting, Recent Advances in Visual Information Systems: 5th International Conference, VISUAL 2002 Hsin Chu, Taiwan, March 11–13, 2002 Proceedings 5, 2002.
• Hatzivasilis, G., Papaefstathiou, I., Manifavas, C. 2015. Password Hashing Competition-Survey and Benchmark, Cryptology ePrint Archive.
• Forler, C., Lucks, S., Wenzel, J. 2013. Catena: A Memory-Consuming Password-Scrambling Framework, Cryptology ePrint Archive.
• Kelsey, J., Schneier, B., Hall, C., Wagner, D. 1997. Secure Applications of Low-Entropy Keys, International Workshop on Information Security.
• Abadi, M., Lomas, T. M., Needham, R. 1997. Strengthening passwords, Digital Equipment Corporation Systems Research Center [SRC].
• Ertaul, L., Kaur, M., Gudise, V. A. K. R. 2016. Implementation and Performance Analysis of Pbkdf2, Bcrypt, Scrypt Algorithms, Proceedings of the international conference on wireless networks (ICWN).
• Percival, C., Josefsson, S. 2016. The Scrypt Password-Based Key Derivation Function.
• Biryukov, A., Dinu, D., Khovratovich, D. 2015. Argon 2 : The Memory-Hard Function For Password Hashing and Other Applications.
• Percival, C. 2009. Stronger Key Derivation Via Sequential Memory-Hard Functions, BSDCan.
• Wilkes, M.V. 1968. Time-Sharing Computer Systems. MacDonald Computer Monographs, American Elsevier Publishing Company.
• Alwen, J., Chen, B., Pietrzak, K., Reyzin, L., Tessaro, S. 2017. Scrypt is Maximally Memory-Hard, Annual International Conference on the Theory and Applications of Cryptographic Techniques.
• Mishra, J. K., Janarthanan, M. 2022. GPU-based Security Of Password Hashing İn Cloud Computing, Materials Today: Proceedings, 60, 939–944.
• Orman, H. 2013. Twelve Random Characters: Passwords İn The Era Of Massive Parallelism, IEEE Internet Computing, 17, 91–94.
• Kaliski, B. 2000. PKCS# 5: Password-based cryptography Specification version 2.0. Provos, N., Mazieres, D. 1999. A future-Adaptable Password Scheme., USENIX Annual Technical Conference, FREENIX Track.
• Grassi, P., Garcia, M., Fenton, J. 2020. Digital İdentity Guidelines.
• Boneh, D., Corrigan-Gibbs, H., Schechter, S. 2016. Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks, Advances in Cryptology–ASIACRYPT 2016: 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part I 22.
• Kelsey, J., Chang, S.-j., Perlner, R. 2016. SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash, NIST special publication, 800, 185.
• Schneier, B. 1993. Description of a New Variable-Length Key, 64-Bit Block Cipher (Blowfish), International Workshop on Fast Software Encryption.
• Turan, M. S., Barker, E., Burr, W., Chen, L. 2010. Recommendation for Password-Based Key Derivation, NIST special publication, 800, 132.
• Smartphone forensics: cracking blackberry.
• Chen, J., Zhou, J., Pan, K., Lin, S., Zhao, C., Li, X. 2013. The Security of Key Derivation Functions in WINRAR., J. Comput., 8, 2262–2268.
• Visconti, A., Mosnáček, O., Brož, M., Matyáš, V. 2019. Examining PBKDF2 security margin—Case study of LUKS, Journal of Information Security and Applications, 46, 296–306.
• Blocki, J., Harsha, B., Zhou, S. 2018. On the economics Of Offline Password Cracking, 2018 IEEE Symposium on Security and Privacy (SP).
• Forler, C., Lucks, S., Wenzel, J. 2014. Memory-Demanding Password Scrambling, Advances in Cryptology – ASIACRYPT 2014, Berlin.
• Forler, C., List, E., Lucks, S., Wenzel, J. 2015. Overview of the Candidates for the Password Hashing Competition, Technology and Practice of Passwords, Cham.
• Polasek, V. 2019. Argon2 Security Margin for Disk Encryption Passwords.
• Biryukov, A., Dinu, D., Khovratovich, D. 2016. Argon2: New Generation Of Memory-Hard Functions For Password Hashing and Other Applications, 2016 IEEE European Symposium on Security and Privacy (EuroS&P).
• Duka, M. 2020. Elliptic-curve Cryptography (ECC) And Argon2 Algorıthm in Php Using Openssl and Sodium Libraries, Informatyka, Automatyka, Pomiary w Gospodarce i Ochronie Środowiska, 10, 91-94.
• Wetzels, J. 2016. Open Sesame: The Password Hashing Competition And Argon2.