In this lesson, I'll talk about the practical application of hashing. So at the end of the lesson you should be able to understand how hashing should be used. And you should be able to discuss where hashing is used today and how failures of implementation of correct hashing has led to data breaches. Let's talk about the technology that we use every day. The websites that we want to register through. Let's say Target, for example, or Home Depot, or you name it, whatever you want to access now has some kind of login and password. So if I look at my accounts through my password manager, I have well over 200 websites that I've registered through. Each of them have a different user name and each of them have a different password. So how many accounts do you actually have? Each of those sites is going to store your password in some size, shape, or form. Some have better security that others, and we'll talk about that here in a minute. What about your phone? How do you think your phone stores your pin, your password, or your fingerprint, for example? If you're on an Android platform, maybe we even had a pattern on the screen that we go through with our finger. What about your computer? How does it store your password? And your car, most of the newer cars nowadays have a key that you have to go to the dealership in order to reprogram the pairing of those two devices. Our cars are getting smarter. Our TVs are getting smarter. Our home automation, everything is getting smarter. However, with that we have to have some kind of security built around it. Let's talk about how we log in to computers. I mentioned in the previous lesson that Windows uses hashing to store passwords. Windows uses the NTLM function, or the NTLM technology to store password hashes. This is from Microsoft. So these are what the actual steps are. The password is padded with null bytes to exactly 14 characters. And if the password is longer than 14 characters it is replaced with a 14 null bytes for the remaining operations. So we're padding and making sure they're exact length. The password is then converted to all lowercase and then split into two, seven byte or 56 bit keys. Each key is used to encrypt a fixed string. And then the two results from the several steps above are then concatenated and stored as the LM hash. So LM stands for LAN manager and NTLM actually stands for new technology LAN manager. It has been the de facto standard for a number of years how Windows actually stores password hashes. Now in other operating systems like Linux and BSD, they use various hashing algorithms, however, most are salted. Now you might say what in the world is a salt, and how are they salted? Well, salting is a way of appending a small random data sequence onto the password or the hash password. So that when somebody enters in, let's say the actual password hash is compromised, there is no way or very minimal chance to say, okay well this salt actually goes with this hash. So we'll talk about why that's really important in a minute. Databases, several years ago, around ten years ago, Microsoft actually published a study where they opted in a bunch of, actually not a bunch, it was millions of users into their Microsoft Live toolbar that said, hey, can we do some password analysis for you? We're not going to actually store your password, but we just want to do an analysis. The results of that study were astonishing. The results showed that a typical user only has five to six unique passwords for all of their accounts. So think about your bank account, think about your music, Spotify, Pandora Amazon, Target, any online account that you have. I bet you there is one of five different passwords that you use. Now if I look, and I don't do that because I've been in the security industry quite awhile and I know how these things get breached. If you use a password manager then all of them can be unique, however, the typical user only has five to six unique passwords. So if we have a data breach on one website how do you think that affects every other website? Well if we are using the password from one site and the same username, we could just take both of those combinations, and go to another website, which I would probably guarantee that you're on. So for example, if your Spotify account or your Pandora account is the same username and password as your Gmail account, which has great security. How do you think attackers are going to get in? Very simply, they compromise the one that doesn't have great security. Now I'm not saying Spotify or Pandora has terrible security, I actually don't know but I'm just talking about something that doesn't have as many users. Think about if you want to exchange Spotify and Pandora with your favorite gaming blog website. Okay, generally those smaller websites don't have great security. So if you're username and password is compromised on that blog then they go to Gmail or Google, they could compromise your account there very easily. Databases, however, should encrypt your password. And that's done through hashing. Additionally, we should also salt. Remember the randomized string appended or prepended onto your actual hash. So that if the attacker out there were able to get into that database and post the hashes, your hash, even though it would be the same password, would be different from site to site. Because we have a different random salt on each of those websites. Rainbow tables, rainbow tables are used to store many different hashes for certain types of hashing algorithms. There's rainbow tables for NTLM passwords, wireless, and a bunch of other ones that are unique. They are precomputed to easily find the password. Now, if you wanted to go through the entire, let's say that we also had just eight characters, eight character password, that hashing rainbow table is going to be very, very small. We could go through a rainbow table of all the hashes for an eight character password on Windows within a matter of one or two minutes. We can also use online crackers to do this or graphics cards to speed up the process of obtaining or identifying the hash that goes with a password. Now remember, a hash has to be unique. So it can't be a reversed function. So what we have to do with rainbow tables is a rainbow table is the representation the hash in password form. So we have a bunch of hashes and they say, this hash matches this password. Rainbow tables can be very large or in most cases, well, in most cases they are large, but in some cases they are relatively small. Intrusion and antivirus detection also use hashes. Many antivirus companies use these hashes to detect malicious software. The same with intrusion detection. So if we look at the 2016 Verizon data breach investigational reports, which is a great resource. They come out with it every year. Last year, they actually had data to show that 99% of malware out there is only up for 58 seconds. The reason why is because malware writers are constantly changing their code to bypass detection. So every time they manipulate their code, the hash changes because it's a unique representation of that file. There are plenty of invasion techniques that utilize hashing, and putting in random code here and there, to bypass antivirus or intrusion detection. The best antivirus intrusion detection or intrusion prevention software uses machine learning and other heuristics to detect maliciousness and not necessarily relies on a software hash. Let's talk about data breaches. The biggest data breach, and the failure of using hashing correctly, came out last year from Yahoo. 1 billion accounts were compromised, because they only secured their database with MD5 hashes. Now MD5 hashes, as you recall, are very, very easy to compute and are very small bit length. So if we have all one billion accounts, running those through a rainbow table, and looking at all the MD5 hashes out there, we can come up with 75% or 750 million passwords in a matter of a couple days. I can't remember how long it actually was, but we've come up with huge amounts of data and actual passwords for all those Yahoo users. So once that happened, Yahoo said, change your password. Another failure was Cupid Media several years ago. 42 million accounts across many different websites that they owned had no encryption or no hashing algorithm on the password at all. LinkedIn also back in 2012 had 6.5 million accounts hacked. They were encrypted, however, they didn't have salts attached. So if we were able to obtain the hash from another website or went through them with a rainbow table or they were precomputed somewhere else, then we would have been able to find or identify the password.
