Cracked weak credentials - Ruby

Cracked weak credentials - Ruby

Need

Enhancement of password security

Context

  • Usage of Ruby for building dynamic and object-oriented applications
  • Usage of digest for generating and verifying message digests

Description

Non compliant code

        require 'digest'

class User < ApplicationRecord
  validates :password, presence: true

  before_save :encrypt_password

  private

  def encrypt_password
    self.password = Digest::SHA1.hexdigest(password)
  end
end
        
        

This code represents a user model in a Ruby on Rails application. The model validates the presence of a password and then encrypts the password before saving it to the database.

The encrypt_password method uses the SHA1 hashing algorithm which is considered weak for password storage. The SHA1 algorithm produces a short, fixed-length hash (160 bits), regardless of the input size. This makes it susceptible to brute force attacks and rainbow table attacks.

Moreover, the code does not implement any form of salting. Salting is a technique where a random value is added to the password before hashing. This prevents two identical passwords from resulting in the same hash, making it harder for an attacker to crack the password using precomputed tables (rainbow tables).

The combination of using a weak hashing algorithm and not salting the passwords makes this code vulnerable to weak credentials cracking. An attacker who gains access to the database could easily crack the passwords.

Steps

  • Use a stronger hashing algorithm for password encryption, such as bcrypt or Argon2.
  • Implement salting to add an additional layer of security to the password hashes.
  • Consider using a dedicated authentication library or framework that handles password hashing and storage securely.
  • Regularly update the hashing algorithm and security practices to stay up-to-date with the latest best practices.
  • Educate users about the importance of using strong and unique passwords.

Compliant code

        require 'bcrypt'

class User < ApplicationRecord
  validates :password, presence: true

  before_save :encrypt_password

  private

  def encrypt_password
    self.password = BCrypt::Password.create(password)
  end
end
        
        

The updated code uses the bcrypt gem, which is a sophisticated and secure hash algorithm designed specifically for passwords. It's a good choice for password security for its resistance to brute-force search attacks.

The bcrypt function automatically handles the creation of a salt, and then concatenates that salt with the plaintext password and applies the bcrypt hash function to the result. The output includes the salt, and then the hashed result. This means that each user's password is hashed uniquely, which is a significant security advantage.

The BCrypt::Password.create method is used to create a hashed password. This method automatically generates a salt and combines it with the provided password to create a hashed password. The salt is a random string that is used to make the hash more secure. By using a different salt for each user, even if two users have the same password, their hashed passwords will be different.

This change significantly increases the complexity of the hashes stored in the database, which in turn considerably increases the amount of time required to crack them. This is a significant improvement in the security of the user's passwords.

In addition to this, it's recommended to use a dedicated authentication library or framework that handles password hashing and storage securely. Regularly update the hashing algorithm and security practices to stay up-to-date with the latest best practices. Also, educate users about the importance of using strong and unique passwords.

References