Computer Science: Password Hashing and Authentication Basics
Protecting passwords with hashing, salting, and secure login design
Computer Science: Password Hashing and Authentication Basics
Protecting passwords with hashing, salting, and secure login design
Computer Science - Grade 9-12
- 1
In a secure authentication system, why should a website avoid storing users' passwords in plain text?
Think about what an attacker would see if the database were stolen.
A website should avoid storing passwords in plain text because anyone who gains access to the database could read and use the passwords immediately. Secure systems store password hashes instead, which makes stolen password data much harder to misuse. - 2
Define a cryptographic hash function in the context of password storage.
A cryptographic hash function is a one-way function that turns an input, such as a password, into a fixed-length string of characters called a hash. It should be easy to compute the hash but extremely difficult to reverse the hash back into the original password. - 3
A user creates the password Tiger77!. The system stores the hash value 9f4a... instead of the original password. During login, what should the system do to check whether the user typed the correct password?
The system does not need to know the original password to verify it.
During login, the system should hash the password the user typed using the same hashing process and compare the new hash to the stored hash. If the hashes match, the password is accepted; if they do not match, the login should fail. - 4
Explain the difference between encryption and hashing.
Encryption is designed to be reversible if someone has the correct key, so encrypted data can be decrypted. Hashing is designed to be one-way, so a password hash should not be reversible back into the original password. - 5
What is a salt in password hashing, and why is it useful?
A salt is usually stored with the hash, but it should be unique for each user or password.
A salt is a random value added to a password before hashing. It is useful because it helps make identical passwords produce different hashes and makes precomputed attack tables much less effective. - 6
Two users choose the same password, Sunshine2025. User A has salt K81 and User B has salt Z44. Explain why their stored hashes should be different.
Their stored hashes should be different because the system hashes the combination of each user's salt and password. Since K81 + Sunshine2025 is different from Z44 + Sunshine2025, the resulting hashes should also be different. - 7
A student says, 'If a database stores password hashes, attackers cannot guess any passwords.' Explain why this statement is not fully correct.
Think about what happens if an attacker tries common passwords like password123.
The statement is not fully correct because attackers can still guess passwords by hashing each guess and comparing the result to the stolen hashes. Strong password hashing slows this process, but weak passwords can still be guessed. - 8
What is a brute-force attack on passwords?
A brute-force attack is an attempt to guess a password by trying many possible combinations until one works. The attack becomes harder when passwords are longer, less predictable, and protected by slow password hashing. - 9
What is a dictionary attack on passwords, and how is it different from a full brute-force attack?
A dictionary attack focuses on likely guesses first.
A dictionary attack tries likely passwords from a list, such as common words, leaked passwords, or predictable patterns. It is different from a full brute-force attack because it does not try every possible combination, so it can be faster against weak or common passwords. - 10
A login system stores passwords using SHA-256 with no salt. Identify one weakness of this design for password storage.
One weakness is that SHA-256 is a fast general-purpose hash, so attackers can test many password guesses very quickly if the hashes are stolen. Another weakness is that using no salt allows identical passwords to have identical hashes and makes precomputed attacks easier. - 11
Name one password hashing algorithm designed specifically for storing passwords, and explain why such algorithms are preferred over fast general-purpose hashes.
Good password hashing makes each guess cost more time or computing power.
One password hashing algorithm designed for storing passwords is bcrypt. Algorithms like bcrypt, scrypt, Argon2, and PBKDF2 are preferred because they can be made slow or resource-intensive, which makes large-scale password guessing more expensive for attackers. - 12
A website limits users to 8-character passwords and does not allow symbols. Explain why this may reduce security.
This may reduce security because short passwords with fewer allowed character types create fewer possible combinations. Attackers can guess from a smaller search space, making brute-force or dictionary attacks more practical. - 13
Put these authentication steps in a secure order: compare hashes, receive password from login form, hash the submitted password with the stored salt, allow or deny access.
The system should never compare the plain typed password directly to the stored hash.
The secure order is: receive the password from the login form, hash the submitted password with the stored salt, compare the new hash to the stored hash, and then allow or deny access based on the result. - 14
Explain why multi-factor authentication can improve security even when password hashing is used.
Multi-factor authentication can improve security because it requires another proof of identity in addition to the password, such as a code, app approval, or security key. If an attacker guesses or steals a password, the extra factor can still block access. - 15
A company discovers that its password database was stolen. The database contains salted password hashes, not plain text passwords. List two actions the company should take and explain why.
Even salted hashes are not a reason to ignore a breach.
The company should force or strongly require users to reset their passwords because some weak passwords may still be guessed from the stolen hashes. The company should also investigate and fix the security breach, notify affected users, and consider improving its hashing settings if they were not strong enough.