Upload File

securing login credentials - salt tutorial

12
Creating A Secure Login www.prodigyview.com

Upload: prodigyview

Post on 06-May-2015

3.033 views

Category:

Technology


4 download

Report

Tags:

DESCRIPTION

Learn how to create secure logins by properly hashing passwords and using SALT.

TRANSCRIPT

Page 1: Securing Login Credentials - SALT Tutorial

Creating A Secure Login

www.prodigyview.com

http://www.prodigyview.com/
Page 2: Securing Login Credentials - SALT Tutorial

Storing A User’s Password

Standard issue for having access to a site is a user’s password with an association to a username or email address.

BAD PRACTICE !!!!

www.prodigyview.com

http://www.prodigyview.com/
Page 3: Securing Login Credentials - SALT Tutorial

Storing Passwords in Plain Text

On the previous slide, the password was in plain text. THIS IS VERY BAD PRACTICE!

1. If the database is hacked/stolen, users account will be at risk.

2. The user’s information could be at risk from members of the internal organization

Page 4: Securing Login Credentials - SALT Tutorial

MD5 HashingOne answer to solving the problem is MD5 hashing. Before the password is actually inserted in the database, hash it with md5.

Page 5: Securing Login Credentials - SALT Tutorial

Problem with MD5 Hash

MD5 hashing is great, except for one small problem. There is a dictionary list of md5 hashes. Just Google the hashed code and see for yourself.

www.prodigyview.com

http://www.prodigyview.com/
Page 6: Securing Login Credentials - SALT Tutorial

Dictionary List and Attacks

A dictionary list is a library of hashed values and their corresponding unhashed strings.

In other words, it’s a way of decoding md5 hashed passwords.

A dictionary list can be built using other hashing algorithms such as sha1().

How do we get around this?

www.prodigyview.com

http://www.prodigyview.com/
Page 7: Securing Login Credentials - SALT Tutorial

SALT!Salt is adding a string of text as part of the encryption process. This can prevent basic dictionary list from being formed.

Page 8: Securing Login Credentials - SALT Tutorial

Google the SALTed HashA Google search for the salted hash will give these results. This is what we want.

www.prodigyview.com

http://www.prodigyview.com/
Page 9: Securing Login Credentials - SALT Tutorial

A Small Problem with SALT

We are about to make things a little more complex. SALT is great because is HARD to make a dictionary list but NOT IMPOSSIBLE.

The way around this problem to find some way making a unique SALT for each user. Our next slide is one of many ways of making a unique SALT for extra security.

www.prodigyview.com

http://www.prodigyview.com/
Page 10: Securing Login Credentials - SALT Tutorial

Use Two IDsA user login’s with their email and password. For our salt to work, lets add in a third login field. Make each user have their own unique pin number that is required to login. The pin number will be the SALT.

Page 11: Securing Login Credentials - SALT Tutorial

PHP CryptPHP has a function design for securing a user’s password. It will use standard Unix DES algorithm but can be configured to use others. The function also supports SALT.

http://php.net/manual/en/function.crypt.php

http://php.net/manual/en/function.crypt.php
http://php.net/manual/en/function.crypt.php
http://php.net/manual/en/function.crypt.php
http://php.net/manual/en/function.crypt.php
Page 12: Securing Login Credentials - SALT Tutorial

www.prodigyview.com

More Tutorials

For more tutorials, please visit:

http://www.prodigyview.com/tutorials

http://www.prodigyview.com/
http://www.prodigyview.com/tutorials
http://www.prodigyview.com/tutorials
http://www.prodigyview.com/tutorials

Ohio EPA OnBase Training · Confidential - 2013 Hyland Software, Inc. 1 Ohio EPA OnBase Training Login Credentials: Username Password

How to submit a user Request:: Login suing domain … Manual.pdfHow to submit a user Request:: Login suing domain credentials:: ... THE TATA POWER COMPANY LIMITED ... Photon Make Cost

LEADS SUITE HELP GUIDE - Amazon Web Services...Your login credentials for the Leads app are the same as your credentials for the event website & event app. {+ Scan an attendee’s

I forgot my login credentials - tvsd.us › Downloads › oneview_login_credentials.pdf · I forgot my login credentials To recover your login ID or your password simply click on

docs.citrixvirtualclassroom.comdocs.citrixvirtualclassroom.com/.../SPOnsGateway.docx · Web viewHTTP and MySQL Web Server 192.168.10.210 Required Lab Credentials Below are the login

Employer Workflow: Enhanced Job Post. Linked Employers: Enter login credentials and click Login Unlinked Employers: Click Create an Account Access School-Specific

PA WITS Login/Prevention Forms/PA WITS Ba… · credentials and a new link will be emailed to you. Account Created Email • Locate User ID Reset Credentials Email ... screens, and

Provider Refresher August 2011. Send requests for login credentials and questions to: [email protected]

Securing your credentials… - Meetupfiles.meetup.com/19939022/Securing your credentials...PowerShell SQL (ODBC) LDAP v3 Web Services ( SOAP, JAVA, REST) Connect and sync on-premises

Registration & Login Manual...Canteen Stores Department - Registration Manual 4 Login credentials will remain invalid prior to approval like shown in Fig. 8. Fig. 8 Once the registration

· Web viewEnter your email and password credentials as shown below, and then click the green “Login” button

User Documentation for ImageNow 62. This will launch the WebNow login page: Login to WebNow using your Kerberos credentials, this is the same combination used for Techworks

Legal Implications of BYOD - ISACA Denver Chapter · Personal Devices • Personal ... • Jailbroken/modded devices ... • Unlocked/login credentials

SWAMY PUBLISHERS PRIVATE LIMITED€¦ · SWAMY PUBLISHERS PRIVATE LIMITED Renew Subscription. STEP- 1 : LOGIN Click here to Login. STEP- 2 : ENTER YOUR CREDENTIALS Enter the registered

Securing Organizational Credentials - Internet2 · 2019-03-27 · Securing Organizational Credentials: New and Pervasive Cyber -Threats. PRESENTER NAME: Kim Milford. Executive Director,

BHCC Self Service · Self Service Login New Web Page . Self Service Login Use BHCC assigned Username and Password Same Credentials used to sign into BHCC Email, Network Computers,

Parent Canvas Accountsbuckalew.conroeisd.net/.../Parent-Canvas-Documentation.pdfIOS App for Canvas Enter your login credentials (Parent Access credentials): 1, Enter email 2. Enter

WorkInTexas.com State Agency Desk Aid · Step 1: Valid WorkInTexas.com Login Credentials To login to WorkInTexas.com as an employer, you must have a username and password. With the

Login using your credentials After you login, Choose New Thesis from the main menu screen

credentials.€¦ · credentials. If you have not received your credentials email, please contact . [email protected] Immediately to get your login info. Simply Voting. 3

Voice Banking browser tutorial - Emirates NBD · Voice Banking browser tutorial. 1 Login to Amazon (US) Login to with your Amazon (US) account credentials. 2 Once device setup is

Gurpartap Singh - VanOUGvanoug.org/Oracle_Enterprise_Manager_Cloud_Control_12c.pdf · -Hit Continue -> select named credentials -> hit login and select schemas.-Hit Continue and Submit

Once employee clicks on Query Management System Hyperlink on the Essjay Web Portal Main page, he/she would be prompted for the login details. )Login credentials

Warranty Dealer Entitlement Review. Login using credentials your WSA provides

ccobz.gov.inccobz.gov.in/scan/PN-esanchit.pdfAnswer: Any registered ICEGATE user can upload documents using below steps. I. Login into ICEGATE website using login credentials. II

ProModel Customized Customized... · Rotational Forces AVIATION ASSAULT BN ... Master Aviation Plan ... provides the ability to define login credentials,

How to Login to TCS IONfmuniversity.nic.in/pdf/admit-card-instructions.pdfHow to Print Admit Card for Students Login to TCS system using your login credentials as shared by FMU with

Tradus Connect User Manual. Tradus Connect Login page Login with the Credentials shared in the email from Tradus

IRBManager INSTRUCTION MANUALtemporary password. Once non-GVSU users receive their initial IRBManager credentials, they can login via the “To use your IR Manager issued login, click

Decentralized Anonymous Credentials - eprint.iacr.org · Decentralized Anonymous Credentials Christina Garman, Matthew Green, ... play a large role in securing internet infrastructure,

Login to existing AICTE Portal with the credentials ...Navigate to Academic Credentials of Coordinator/ PI/ Applicant tab for RP Scheme. 1. lick on “New” button to add Record

Set Up Federated Login for LastPass Using Okta Table of ... · 1. On the LastPass Okta Login application details page, scroll down to the “Client Credentials” section. 2. Copy

Time and Leave Reporting€¦ · Web viewTime and Leave Reporting User Guide for Hourly & Student Employees June 2010 Table of Contents Introduction 3 Login Credentials 3 Login 3

EFT™ WEB ADMIN v3. - help.globalscape.com · EFT Web Admin will use these credentials to connect to the database. Only SQL server login is supported by the installer. Windows credentials

Taking a DevOps Approach to Securing Privileged ... · SESSION ID: #RSAC Jeffrey Kok. Taking a DevOps Approach to Securing Privileged Credentials in DevOps. Senior Director, Asia