Computer Science Grade 9 20 min

Password Security

Password Security

Tutorial Preview

1

Introduction & Learning Objectives

Learning Objectives Explain the concept of cryptographic hashing and its one-way nature. Differentiate between encryption and hashing for the purpose of password storage. Define 'salting' and articulate its role in preventing rainbow table attacks. Describe the purpose of a 'pepper' as an additional layer of security. Analyze why slow, computationally expensive hashing algorithms (like bcrypt) are preferred for password security. Write pseudocode representing a secure password registration and verification process. Ever wonder how a website knows your password is correct without actually storing your real password? 🤔 Let's uncover the digital magic that keeps your secrets safe! In this lesson, we'll dive into the advanced techniques websites u...
2

Key Concepts & Vocabulary

TermDefinitionExample Cryptographic HashingThe process of using an algorithm to convert an input (like a password) into a fixed-size string of characters. It's a one-way function, meaning you cannot reverse it to get the original input.The password `P@ssw0rd123` passed through the SHA-256 hash function might become `a8e4...d9b1`. You can't use `a8e4...d9b1` to figure out the original password was `P@ssw0rd123`. SaltA unique, random piece of data that is added to a password before it is hashed. Each user gets their own different salt, which is stored in the database along with the hash.Instead of hashing `P@ssw0rd123`, the system adds a salt like `k2$j!9` to it, and then hashes the combined string `P@ssw0rd123k2$j!9`. Rainbow Table AttackAn attack where a hacker uses a pre-comput...
3

Core Syntax & Patterns

Password Hashing & Salting Algorithm stored_hash = hash_function(password + salt) During user registration, generate a unique random salt. Combine the user's password with the salt, and then apply a strong, slow hash function. Store both the salt and the resulting hash in the database, but never the original password. Password Verification Algorithm is_match = (hash_function(login_attempt + stored_salt) == stored_hash) During login, retrieve the user's stored salt and hash from the database. Combine the password they just entered with their stored salt. Hash this new string using the same hash function. If the result exactly matches the stored hash, the password is correct. Cost Factor (Work Factor) hash = bcrypt(password, salt, cost_factor) Use passwor...

4 more steps in this tutorial

Sign up free to access the complete tutorial with worked examples and practice.

Sign Up Free to Continue

Sample Practice Questions

Challenging
A security analyst says, 'The salt's purpose is to ensure uniqueness, not to be a secret.' Why is this statement correct, even though the salt is combined with the password?
A.The statement is incorrect; the salt must be kept secret like a pepper.
B.Because the salt is stored in the database with the hash, it's not secret from an attacker who steals the database. Its main job is to defeat pre-computation attacks like rainbow tables.
C.Because the salt is always the same for every user, so it cannot be a secret.
D.Because the salt is a publicly known value, like '12345678'.
Challenging
You are advising a startup on password security. They can only choose one of the following two options. Which is the more secure choice and why? Option A: Use a fast hash (SHA-256) with a strong, secret pepper. Option B: Use a slow hash (bcrypt) with a high cost factor, but no pepper.
A.Option A, because the secret pepper prevents any attack if the database is stolen.
B.Option B, because the primary defense against a brute-force attack (which is the ultimate threat) is a slow hash function.
C.Both are equally secure because one uses a pepper and the other uses a slow hash.
D.Neither is secure; both a pepper and a slow hash are required.
Challenging
A company needs to migrate from an old system that stored passwords as unsalted MD5 hashes to a new system using salted bcrypt. What is the only secure way to handle the migration for existing users?
A.Convert the MD5 hashes directly to bcrypt hashes using a special function.
B.On each user's next successful login, take their submitted plaintext password, hash it with the new bcrypt system, and replace the old MD5 hash.
C.Email all users their old passwords and require them to sign up again on the new system.
D.Use the old MD5 hash as the 'password' input for the new bcrypt function.

Want to practice and check your answers?

Sign up to access all questions with instant feedback, explanations, and progress tracking.

Start Practicing Free

More from Advanced Topics

Creating Variables Hash Tables Basics AJAX Basics Inheritance Basics CSS3 Styling

Ready to find your learning gaps?

Take a free diagnostic test and get a personalized learning plan in minutes.

Free Diagnostic Test Sign Up Free