Proper Password Encryption

This article explains how your password is converted into a key that can be used to encrypt sensitive information. By understanding this process, you'll better understand how your bank, the government or other websites protect or fail to protect your information.

Encryption can be understood by thinking of a back and forth battle between good and evil. The good guys try to protect your private information, then the bad guys try to break in. The good guys respond, and the bad guys try and break the response. Security programmers examine their work by putting on their black hats and trying to figure out how they could be hacked. Then they put their white hat back on and figure out how to prevent it.

It is a mental back and forth exercise, and by presenting it that way, you can see the reasons for the measures taken and they will make more sense.

Keepass - the creation of a key:

Start with a password, make a key.

The Good guys create a one way hash

They take your password and run it through a procedure that produces 256 bits (about 32 characters) of seemingly random junk. There is no known way to take that junk and ever figure out the password so the procedure is called a one way hash. They then use that hash as a key to encrypt your data.

Because of this, there is no reason for a website to limit a password to less than 50 or 100 characters. Whatever you put in, is converted into a 256 bit hash, whether it is 100 characters long, or only 2 characters. If they limit password length to less than 30 characters, they are probably storing the password, not the hash, so they are insecure.

Secure websites or programs, cannot give you your password if you lose it. Since the password is not stored, but only the hash, and there is no way to get back from the hash to the password, the password, if lost, is not recoverable. If they can give you the password, then they are insecure.

Also, the encrypted data is just as undecipherable if your password is short and terrible or long and good. The difference is that with a short password they can crack it and capture the key that was used for encryption.

The Bad guys respond

So the bad guys found some powerful computers and ran words through it to produce the hash. They ran all the words in the dictionary through it, and a few million known passwords, and everything in Wikipedia, and word transformations like 100k for look, or miCro$oft for Microsoft and adding a couple digits to names like: michael92. They compiled this into a new huge dictionary of hashes, and made it available on the Internet to crackers. Now the crackers could just match your password hash to already processed hashes, if it had ever been used before or was one of the words or phrases processed through the hackers hash algorithm. They also combine the passwords in multiple dictionaries and try those.

The Good guys slow the dictionary attacks with salt
So the good guys figured out how to take your password and merge it with some random junk and then use that for the key. Now, the pre-processed dictionary doesn't work, because each time a database password creates a key, random stuff is merged into the password and then it is hashed. This random stuff is called salt. So, ready made dictionaries don't work. But dictionaries are still used after the salt is found. They must create a new dictionary after the salt is discovered.

The bad guys up their game
The bad guys get faster and faster computers so they can still crack shorter passwords by trying trillions of possible passwords each minute. So, even if it isn't in a dictionary, short passwords can be cracked quickly.

The Good guys slow them down
The good guys then figured out they could use the hash they created with your password and the salt and then hash that again, and again and again. In fact, they could repeat the hashing thousands of times. The result would be a very small delay for the individual user, but a really big delay for someone trying billions of passwords. 80,000 repetitions turn a 1 day crack into a 219 year crack, which is much less useful. This is called an iteration or repetition number.

Key Creation Summary

So Keepass and other properly made encryption programs that use what is called symmetric encryption, take your password, mix it with random junk (salt), and run that through a vetted accepted sound hash algorithm thousands of times. The result of those thousands of repetitions is the key. That key is used to both encrypt and decrypt the information, which is why it is called symmetric key encryption.

Key take away points

Encryption of this type (symmetric) uses a key.
The key is made using a 1 way hash, so the password itself is not stored but is required to get the key.
Therefore, if you forget the password, there is no way to get your stuff back.
The hash is the same size regardless of the size of the password.
Therefore there is no reason for small limits on the length of the password (less than 50 characters)
The hashing of the key is mixed with something to prevent pre-made dictionary attacks, but dictionaries can still be used.
Attackers are slowed down by repeating the hashing process thousands of times

Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe Search All Articles Browse by Category Security Internet Mobile Business Hardware Fun		Proper Password Encryption This article explains how your password is converted into a key that can be used to encrypt sensitive information. By understanding this process, you'll better understand how your bank, the government or other websites protect or fail to protect your information. Encryption can be understood by thinking of a back and forth battle between good and evil. The good guys try to protect your private information, then the bad guys try to break in. The good guys respond, and the bad guys try and break the response. Security programmers examine their work by putting on their black hats and trying to figure out how they could be hacked. Then they put their white hat back on and figure out how to prevent it. It is a mental back and forth exercise, and by presenting it that way, you can see the reasons for the measures taken and they will make more sense. Keepass - the creation of a key: Start with a password, make a key. The Good guys create a one way hash They take your password and run it through a procedure that produces 256 bits (about 32 characters) of seemingly random junk. There is no known way to take that junk and ever figure out the password so the procedure is called a one way hash. They then use that hash as a key to encrypt your data. Because of this, there is no reason for a website to limit a password to less than 50 or 100 characters. Whatever you put in, is converted into a 256 bit hash, whether it is 100 characters long, or only 2 characters. If they limit password length to less than 30 characters, they are probably storing the password, not the hash, so they are insecure. Secure websites or programs, cannot give you your password if you lose it. Since the password is not stored, but only the hash, and there is no way to get back from the hash to the password, the password, if lost, is not recoverable. If they can give you the password, then they are insecure. Also, the encrypted data is just as undecipherable if your password is short and terrible or long and good. The difference is that with a short password they can crack it and capture the key that was used for encryption. The Bad guys respond So the bad guys found some powerful computers and ran words through it to produce the hash. They ran all the words in the dictionary through it, and a few million known passwords, and everything in Wikipedia, and word transformations like 100k for look, or miCro$oft for Microsoft and adding a couple digits to names like: michael92. They compiled this into a new huge dictionary of hashes, and made it available on the Internet to crackers. Now the crackers could just match your password hash to already processed hashes, if it had ever been used before or was one of the words or phrases processed through the hackers hash algorithm. They also combine the passwords in multiple dictionaries and try those. The Good guys slow the dictionary attacks with salt So the good guys figured out how to take your password and merge it with some random junk and then use that for the key. Now, the pre-processed dictionary doesn't work, because each time a database password creates a key, random stuff is merged into the password and then it is hashed. This random stuff is called salt. So, ready made dictionaries don't work. But dictionaries are still used after the salt is found. They must create a new dictionary after the salt is discovered. The bad guys up their game The bad guys get faster and faster computers so they can still crack shorter passwords by trying trillions of possible passwords each minute. So, even if it isn't in a dictionary, short passwords can be cracked quickly. The Good guys slow them down The good guys then figured out they could use the hash they created with your password and the salt and then hash that again, and again and again. In fact, they could repeat the hashing thousands of times. The result would be a very small delay for the individual user, but a really big delay for someone trying billions of passwords. 80,000 repetitions turn a 1 day crack into a 219 year crack, which is much less useful. This is called an iteration or repetition number. Key Creation Summary So Keepass and other properly made encryption programs that use what is called symmetric encryption, take your password, mix it with random junk (salt), and run that through a vetted accepted sound hash algorithm thousands of times. The result of those thousands of repetitions is the key. That key is used to both encrypt and decrypt the information, which is why it is called symmetric key encryption. Key take away points Encryption of this type (symmetric) uses a key. The key is made using a 1 way hash, so the password itself is not stored but is required to get the key. Therefore, if you forget the password, there is no way to get your stuff back. The hash is the same size regardless of the size of the password. Therefore there is no reason for small limits on the length of the password (less than 50 characters) The hashing of the key is mixed with something to prevent pre-made dictionary attacks, but dictionaries can still be used. Attackers are slowed down by repeating the hashing process thousands of times More Reading Cryptographic Hash Algorithms https://en.wikipedia.org/wiki/Cryptographic_hash_function http://www.unixwiz.net/techtips/iguide-crypto-hashes.html Salt: https://en.wikipedia.org/wiki/Salt_%28cryptography%29 http://crypto.stackexchange.com/questions/1776/can-you-help-me-understand-what-a-cryptographic-salt-is AES and Block ciphers https://en.wikipedia.org/wiki/Advanced_Encryption_Standard https://en.wikipedia.org/wiki/Block_cipher http://www.freesoft.org/CIE/Topics/143.htm Even More http://www.dev-hq.net/posts/4--intro-to-cryptographic-hash-functions http://learncryptography.com/ I wrote an article about Public Key encryption (non-symmetrical) in 2010. Date: October 2015 This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.
		I attempt to provide reliable information, but make no warranty as to the accuracy or safety of these articles. I disclaim all legal responsibility for what following these instructions may do. Follow my advice at your own risk

Keeping clients' computers safe and profitable for over 30 years

Proper Password Encryption

Keepass - the creation of a key:

Key Creation Summary

More Reading