is hashing mechanism really secure?

Question

Well, I have always seen (and following) people saying to use hashing mechanism for storing passwords in database. I am really concerned is it secure?

Lets go with example.

Let's say I am hacker and I got your database name, id and password. Now I have FULL access to your database.

What people say passwords should be hashed because if someone hacks, they are visible to hackers.

so If I run query as select id, password FROM userDetails I will get data as below

Option 1 : Without hash

++++++++++++++++++++++++++++
+   id    +    password    +
++++++++++++++++++++++++++++
+  id01    +  password01   +
+  id02    +  password02   +
++++++++++++++++++++++++++++

Option 2 : With Hash

++++++++++++++++++++++++++++
+   id    +    password    +
++++++++++++++++++++++++++++
+  id01    +  hasValue01   +
+  id02    +  hasValue02   +
++++++++++++++++++++++++++++

Well, still I say, hashing is insecure. Why I will tell you below with Java code.

PreparedStatement pst = conn.prepareStatement("SELECT id, password FROM userDetails");
ResultSet rs = pst.executeQuery();
String randomPassword = "";
StringBuffer sb;
boolean myPassCheck = true;
while (rs.next()) {
    myPassCheck = true;
    while (myPassCheck) {
        // this will generate random password
        randomPassword = generateRandomPassword();
        MessageDigest md = MessageDigest.getInstance("MD5");
        byte[] array = md.digest(randomPassword.getBytes());
        sb = new StringBuffer();
        for (int i = 0; i < array.length; ++i) {
            sb.append(Integer.toHexString((array[i] & 0xFF) | 0x100).substring(1, 3));
        }
        if (sb.toString().equals(rs.getString(2))) {
            // this is password
            myPassCheck = false;
            System.out.print("id=" + rs.getString(1) + ", password=" + sb.toString());
        }
    }
}

This way, I can print the username and password. (I know I will have to generate random password till I have not found the password). However in this way, hashing password mechanism also fails.

Also I believe there is decryptor present in this world which will convert the hash data to actual data.

Hence, I am thinking

Is Hashing Mechanism Is Secure?

---

Edit 1

I am not talking about MD5 only. I choose MD5 for example purpose ONLY. I am talking about any mechanism for secure password

Answer 1

No, just using hash, especially when just applying MD5 to the password, isn't secure because :

• if you just convert a password (which is frequently almost a common word), it's easy to test it using a database of common passwords. So always use a salt and preferably a combination of other constant parts of the user record. Sometimes you may even find the origin of a hash by typing the hash in Google...
• MD5 is prone to collisions, so even with a hash, prefer SHA 256 or better
• MD5 is fast to compute, so fast to test in a brute force attack

Use the hashing mechanism but :

• take a better hash function, for example SHA-256 or SHA-512
• hash a constructed string, for example username+salt+password (you can use a constant salt as long as it's not used by other programs, it's enough for most uses)

The process when you register somebody (or somebody changes his password) is

1) to build the string s as s=username+salt+password (or a similar function)

2) to build the hash as SHA256(s)

3) to store in database the username, the salt (if not constant) and the hash

When authenticating a user, you build the hash in the same way (using the username and password given by the user and the salt you have in database) and you compare the username and the hash to what you have in database. You don't reverse the hash function, because that's not feasible.

---

Now regarding your code : your approach seems to be to generate all possible passwords until one has the same MD5 than the password you're trying to guess. This won't work for reasonable passwords because there isn't enough time to test all combinations of 15 characters.

Answer 2

Passwords are never stored in plaintext. At least they shouldn't be, unless you're building the world's most insecure system using the world's most naive programmers.

Instead, passwords are stored as the output of a hash function. Even if an attacker gained access to the hashed version of your password, it's not possible to reconstitute the password from the hash value alone.

But it is possible to attack the hashed value of your password using rainbow tables: enormous, pre-computed hash values for every possible combination of characters. An attacking PC could certainly calculate all these hashes on the fly, but taking advantage of a massive table of pre-computed hash values enables the attack to proceed several orders of magnitude faster-- assuming the attacking machine has enough RAM to store the entire table (or at least most of it) in memory. A table like this is called a rainbow table

It's a classic time-memory tradeoff, exactly the sort of cheating shortcut you'd expect a black hat attacker to take.

A database for follwing char set:ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~[]{}|\:;"'<>,.?/ with a max password length of 14 would have a size of 64GB.

If you've salted your password hashes, an attacker can't use general rainbow table attack against you the hash results from "password" and "deliciously-salty-password" won't match. Unless your hacker somehow knows that all your hashes are "delicously-salty-" ones.

Even then, he or she would have to generate a custom rainbow table specifically for you.

Please read Thomas Ptacek's excellent and informative article on this topic. It goes into much more detal about the nuts and bolts of password hashing.

And finally the answer to your Question:

NO it is not secure, but you can do your best to make it as secure as possible.

Answer 3

No. Hashing passwords is not secure, but it's more secure than not doing this. As you can see such hashed passwords might be easily decrypted if you have enough time and hardware resources. This is why we often use salt to make our passwords more secure. The salt is something that is somehow merged with the real password and you store the hashcode of such string. The attacker might be able to break the encryption but he receives the password mixed with salt. This is a quite good protection to people who use so called 'rainbow tables' to decrypt the passwords. Unfortunatelly it's still breakable. Here you can find more info about that: http://arstechnica.com/security/2012/08/passwords-under-assault/

Answer 4

No, they are not 100% secure, specially if the attacker has a hash database. A better approach is to use salted passwords, as this make hash databases quite useless.

Another way to make the password a bit more secure is to hash it several times, which also reduces the effectiveness of a hash database.

As other posts mentioned, pick a more secure and expensive algorithm like sha-512.