CIAM Solutions- FAQ2: What is better when comes to passwords?
Hashing with a Salt OR Asymmetric Encryption :)
One common request that came to me from my clients during BANT calls is “Can’t we encrypt passwords of users in WSO2 Identity Server ?” or “ Is it possible to encrypt user passwords or challenge Question answers?”
I am always wondered why they are asking these questions. Then, I thought I should write about this with full stats and proof. So, you can decide what is best for your CIAM system.
What is the difference between Hashing and Encryption?
Hashing simply converts a string into different values via an arithmetic hashing algorithm. Whereas, Encryption simply means a method of hiding information converting it into a secure code. Hashing is a one-way function and encryption is a two-way function.
Hence, Hashing is better because Encryption always give a rick of disclosure of plain text password through reverse processing(decrypting).
Let’s understand why hashing is better. For that, I am comparing the best of both approaches.
Asymmetric Encryption — Best of Encryption
Out of all the encryption mechanisms, Asymmetric Encryption is considered to be the most secure way of encryption as it uses two separate cryptographic keys called a private key — a public key to encrypt and decrypt. But the use of two key pairs affects the performance of this two-way process.
As the keys can be stolen or generated, in order to improve the security of this encryption and decryption process, key rotation is a must factor.
In the practical world, Encryption is used in TLS/SSL for secure communication. Selecting Asymmetric Encryption with frequent key rotations is a best practice followed in the software world to secure public-facing communication channels.
Hashing with a Salt — Best of Hashing
Hashing is like baking, given a hashing algorithm(recipe) and the password and the salt(ingredients) will give the same cake with the same taste.
Hashing functions can be categorized as non-cryptographic and cryptographic hashing functions.
Cryptographic functions are hard to compute, Hence using Cryptographic function in Hashing is the best decision.
Why cryptographic functions are better to hash a password:
- Non-reversibility, or one-way function — It is hard to reverse the hash function and guess the password
- Diffusion or avalanche effect — A small change in password will show a significant change in output hashed value.
- Determinism — A given password will always make the same hash
- Collision resistance — No two passwords will have the same hash(More highly unlikely)
- Non-predictable — The hash value can not be predicted from the password.
Out of different cryptographic hashing functions, SHA-256 is considered to be the best function from the security perspective.
SHA-256 (secure hash algorithm, FIPS 182–2) is a cryptographic hash function with a digest length of 256bits. It is a keyless hash function; that is, an MDC (Manipulation Detection Code). A message is processed by blocks of 512 = 16×32 bits, each block requiring 64 rounds.
There is much evidence of security breaches which tells that even hashing is not enough.
- 2016: LinkedIn got hacked and used a weak hashing algorithm (source)
- 2019: Facebook had hundreds of millions of passwords stored in plain text (source 1, source 2)
Hashing with a strong Cryptographic function with a salt is a must!
Salt — is a randomly generated string added to the plain text password followed by hashing. This makes the password guessing process much tougher so that it is hard to breach.
Conclusion
Hashing passwords using SHA-256 cryptographic function with a salt is the best approach to secure passwords.
WSO2 Identity Server uses Hashing (SHA-256 with a salt) to store User Identity Passwords in the CIAM system, which is the best approach to secure your end-user passwords.
Still here? Good. I believe that now you (hopefully) know what is better now Hashing ? or Encryption? But if you still want to use encryption instead of hashing, you should be able to do that via an extension at your own risk. :)
Stay Safe with the WSO2 Identity Server!
