How Password Hashing Algorithms Work and Why You Never Ever Write Your Own

Are you fascinated with cryptography? Youre not alone: a lot of engineers are. Occasionally, some of them decide to go as far as to write their own custom cryptographic hash functions and use them in real-world applications. While understandably enticing, doing so breaks the number 1 rule of the security community:??dont write your own crypto.?

How do hashing algorithms work and whats special about password hashing? What does it take for an algorithm to get ready for widespread production use? Is security through obscurity a good idea? Lets see.?

Before storing a users password in your applications database, youre supposed to apply a cryptographic hash function to it. (Youre not storing passwords in plain text, right? Good. Just asking.)?

Any cryptographic hash function converts an arbitrary-length input (a.k.a. message) into a fixed-length output (a.k.a. hash, message digest). A??secure cryptographic hash function??must be:?

Now, theres general cryptographic hashing, and then theres password hashing that is somewhat special.?

Standard cryptographic hash functions are designed to be fast, and when youre hashing passwords, it becomes a problem.??Password hashing must be slow.??You want to make it as hard as possible for the attacker to apply brute force attacks to passwords in your database should it ever leak. This is why you want to make passwords hashing computationally expensive. How expensive? Well, its a tradeoff between convenience for your legitimate users when they validate their passwords and making brute-force attacks hard for the attacker.?

To make hashing computationally expensive, a special kind of functions is commonly used:??key derivation functions??(KDFs). Under the hood, KDFs invoke hashing functions, but they add a random salt before hashing, and then apply numerous (usually thousands or tens of thousands) iterations of hashing. Ideally, they make brute force attacks both CPU-intensive and memory-intensive.?

A key derivation function produces a derived key from a base key and other parameters. In a password-based key derivation function, the base key is a password and the other parameters are a salt value and an iteration count?(RFC 2898: Password-Based Cryptography Specification Version 2.0).

In password hashing discussions, the terms hash function (such as MD5 or SHA-1) and key derivation function (such as PBKDF2 or Argon2) are often used interchangeably although theyre technically not the same.?

Both writing a custom hashing algorithm and creating your own implementation of a well-known algorithm are bad ideas. Why??

You probably dont have the skills. Lets face it: cryptography is hard, and messing up an algorithm or implementation is easy, even for professionals. Should you go for creating your own password hashing, some of the things youd need to take care of include:?

This is a lot on your plate even more so given that??you wont have access to qualified testers??from the cryptography community to help you find (inevitable) vulnerabilities.?

Youll likely want to depend on secrecy and obscurity??by keeping your algorithm private. Doing so breaks the fundamental doctrine of cryptography known as the?Kerckhoffs?principle:??a cryptosystem should be secure even if everything about the?system, except the key, is public knowledge.??Security by obscurity can provide a short-term advantage but relying on it long-term is a bad practice:?

Youll put sensitive user data at risk. Leaking sensitive user data is one of the worst things that can happen to a business. This is something that instantly undermines trust, turns customers away, and is very expensive to remediate. Some companies and lots of developers are prone to the Not Invented Here fallacy, but password hashing is probably the worst thing you can choose to re-implement.?

Most importantly,??you wont know when your algorithm gets broken.?

Established algorithms and implementations benefit from??years of testing and polishing??by large communities of cryptography experts who help reveal and fix vulnerabilities without any malicious intent.?

Since your own algorithm and/or implementation wont be available to anyone with a good will, attackers will be the only category of people willing to crack it. Once they do that, they wont give you a headsup;?youll only know when sensitive data of your users is?compromised,?and your business is in serious trouble.?

Thats great! Go forward and practice. Read reference implementations of existing algorithms, play with your own implementations, reach out to the community for advice, and have a great time learning something new and exciting!?

Just dont use whatever youve written in your production applications.?

To learn more, read our vulnerability decoder on insecure crypto.?