4 levels of password security
September 27, 2018 / Knowledge

4 levels of password security

Welcome to the age of reckoning

Long gone are the days of dial-up modems and public library visits just to check the news online. We are living in the ever-expanding virtual world. Here, more often than not, a thing you pick up is connected to the internet. That’s called the internet-of-things — a network of smart phones, intelligent vehicles, wise toasters and other things, all connected to the internet. In this world of inter-connectivity and accessibility, where our data is the sought after currency and privacy is breached every day we still have an ancient guardian protecting us against the miseries of leaked photos and wiped bank accounts. Do you know who is that guardian? You guessed it — it’s the mysterious password. And today we will get to know him and learn more about password security.

Short history

There is a reason why I’ve mentioned our hero being ancient — the concept of passwords can be traced back thousands of years — way back, to times when Roman military still roamed the world. Back then, a password was used in the most literal sense: it was a word that when said, granted a passage to a controlled area.

In the modern context, the first application of password was implemented in 1961 by MIT professor Fernando Corbato. He was associated with the first-ever time sharing system shared by multiple scientists and researchers at MIT. Corbato figured out a way to adapt the concept of password to differentiate access to private files for separate users using a single system.

Back then passwords were stored in plain-text (read: copy-pasted to a separated document stored in the system, that served as a very basic method of authenticating user’s login details). Which brings us to our first level (or rather level zero) of password security: plain-text.

Level 1: plain-text and face-palms

Versions of passwords must be stored in the system in order to authenticate it with the user’s keyboard input and verify if it’s correct. If it matches — the user is granted access (or logged in) and is able to see the information, that’s protected by the system’s authentication.

So, the passwords have to be stored in the system for authentication, right? Wrong. Storing passwords in the system was a common practice at the dawn of the internet technologies and was not even safe then. Database breaches are not that rare (and are becoming more common every year). If your users’ passwords are stored in plain-text when a database is breached, this is no longer an issue affecting only you. It’s an issue affecting every single one of your users, including their accounts on other platforms. And yet, companies are still getting caught using this borderline negligent security method, even in 2019.

Level 2: hashing and encrypting

In the 1970s a famous researcher Robert Morris Sr. has adapted the method called “hashing” to password security. A hash function is designed to map data of random sizes to a fixed-size data. In cybersecurity, this function is also devised to be a one-way (sometimes called a “ trapdoor”) function — easily computable, but infeasible to invert or backtrack. This cryptographic hash function takes user input — the password — and turns it into a seemingly random sequence of numbers. There are only two ways to crack a good cryptographic hash function. One of them is the infamous brute-force attack, when a hacker simply tries all possible combinations of the password until he’s able to find a match. Another, more sophisticated way to hack this type of function is to use rainbow table of matched hashes.

Level 3: salting and seasoning

So, how do we move further with our need for password security? Surely, when we know there is a way to crack our “hashes”, we want something even more secure? Of course! And don’t call your reader Shirley.

This is where a little bit of “salt” goes a long way. In cryptography, salt is called some random data that’s added as additional input to cryptographic hash function. In simple terms, this means that before converting your password to a string of random numbers and symbols, some random data is added to your password and only then “hashed”, making the encrypted data even harder to crack.

This method is used to make “rainbow table” and “dictionary” (a type of brute-force) attacks at the very least much, much less efficient.

Level 4: the master of all passwords

The algorithm called Master Password was designed by Marten Billemont. In standard security management, passwords (or their “hashes”) are stored in a secure database, in a server, or a cloud. Master password is not stored anywhere.

It’s an algorithm that generates a 64-byte master key, which is used in access authorization. The key is also salted by your full name to defend against “rainbow table” attacks. This master key is generated every time you type in your secret memorized password and uses intentionally slow key derivation function. This function does not affect performance for users who only need the master key once per login, but makes brute-force attacks (that try generating master keys billions of times) unfeasible.

This concept is a complete game-changer in the world of passwords and offers unmatched security for cloud-based solutions. That is why this concept, along with additional security measures, are used in some of the most secure cloud-based software, like PassCamp.

Bonus round: additional measures

Now that you know how Master Passwords works, let’s see how we can improve cryptography-based security one step further. Can’t be too safe, right?

In addition to Master Password, PassCamp utilizes three very important concepts:

  • Password-Based Key Derivation Function 2 ( or PBKDF2 for short) is a key derivation function, which applies a pseudorandom function, such as hashing with a salt value, and instead of using that straightaway, it repeats this process countless times. Only after this step the function derives a key, which is then used to encrypt your data.
  • Secure Remote Password( SRP for short) Protocol is used for verifying if the user knows the required password. It is used to fight against eavesdroppers and types of software that monitor activity and try to impersonate the user. Through SRP authentication user’s end demonstrates to the server that they know the password without actually sending the password itself. This way the password doesn’t leave the client and is unknown to the server.
  • Zero-knowledge encryption is the last bit that makes your sensitive data unhackable. In very simple terms, all of your information within PassCamp is encrypted at all times and only you, the user, have the key (your Master Password) to decrypt the data. Even if PassCamp was hacked with some extraordinary tools, hackers would be left with strings of random data and wouldn’t be able to get your sensitive information.

If you’ve read this far, congratulations! Today you have learned the very basics of modern password cryptography.

If you would like to see these mechanisms at work, check out PassCamp— an independent password manager developed with security at the heart.


Written by Arvydas Vaitkus, marketing manager at Adeo Web.

Images © Robertas Zigmantavičius