In the contemporary world, electronic systems connected to the internet contributes to a a majority portion of our every day lives. With the wake of COVID-19 pandemic, this could not be more accurate. Because of the very nature of internet, such systems are exposed to the public, and potentially to users with malicious intent. How do we protect ourselves? With passwords of course! But how exactly are passwords stored?

Well, there are many ways passwords can be stored. In the earlier days, passwords were simply stored in a plain text format in a database. Obviously this is the worst possible way to store a password. Once the database is hacked, or there is a leak, all users are easily compromised. So some layers of security are needed.

---

Layers of security

• Encryption
  Running a plain text through a reversible encryption function and storing it is one way of securing a password. However, if a hacker uses the system and he has an account with a password, after he hacks into the database, he will have his password(s) in both plain text and in encrypted form. The hacker can have multiple accounts and get multiple sets of passwords in their plain and encrypted form. They can then use the data they collected to work out the key for the encryption function, or even how the encryption works. They can achieve this by either brute forcing their way into getting the key, or run intricate algorithms such as those of Machine Learning on the data set they obtained to get the key. Even though this sounds like a lot of work, with today's computers, this can be done in mere minutes.

• Simple hashing
  A very easy way of reasonably securing passwords for a mid term project is to use hash functions. I have actually created my own hash function in python which you can view here. In essence, a hash function is a mathematical algorithm that maps data of an arbitrary size to a bit array of a fixed size. It is a one-way function, that is, a function for which it is practically infeasible to invert or reverse the computation. The only way to "reverse" a hash is to use brute force. However there is a caveat with using just a hash function (like MD5, SHA1, SHA128, etc). Majority of users will use simple passwords like 123456, apple, password, etc. So attackers have already mapped a dictionary of commonly used password with their hashed alternatives for some of the common hash functions. One more thing to consider is that most users will have their birth date and/or age in their passwords so attackers can use their personal information with the commonly used passwords to build a list of possible passwords and use brute force. In 2012, there was a breach in LinkedIn databases and the hashes were leaked. It took 3 days for the attackers to "reverse" almost 90% of the user's hashes.

---

Enhancing hash functions

• Pepper/Secret salt hashes
  In order to tackle the issue of commonly used passwords, pepper or secret salts can be used. Basically, bytes of data is added to the every password in the database and then hashed. So even if users have weak passwords, the pepper appended to the password strengthens its security. The randomly generated pepper is not stored with the password but is rather kept on a separate medium like a Hardware Security Module.

• Salt hashes
  A randomly generated data, like 9^5gx9]Jan6]n4Q$Eo4k}Rp:BDy9nCc&, which is called a salt, is added to the password. For every user, this salt is unique and is often stored with the password. So even if some users use common passwords, or even matching passwords, in the database their hash will be 100% unique. This is a standard in the industry is a requirement to achieve basic levels of security.

• Hash iterations
  Increasing the number of times a password is hashed is also a standard method of securing passwords. This is because even if you increase the number of iterations to about 100000, it will only increase by a few milliseconds. But for an attacker who is using brute force, these milliseconds add up to years or even millenniums.

---

Combining all the methods
With all this methods in place, a very complex and secure password storage can be developed by using all 5 of these methods.

• Layer 1: Encrypt the password.

• Layer 2: Add pepper from the secret separate module.

• Layer 3: Add a randomly generated salt

• Layer 4: Run it through a complex hash function like SHA512

• Layer 5: Keep running the output through the hash function for a set amount of times

And voila, breakfast is served.

---

To conclude, the current most popular and secure way of storing passwords by industry standards is to use a combination of encryptions, hashes, salt hashes, pepper, and iterations. However, with the rise of quantum computers on the horizon, there might be a need to re-invent the wheel in the distant future.