Content uploaded by Roman Alex Lustro
Author content
All content in this area was uploaded by Roman Alex Lustro on Oct 07, 2022
Content may be subject to copyright.
Jour of Adv Research in Dynamic & Control Systems. Vol. 11. 12 – Special Issue.2019
DOI: 10.5373/JARDCS/V11SP12/20193330 1240
ISSN 1943-023X 1234
Received: 19 Oct 2019/Accepted: 18 Nov 2019
Ameliorating Password Security Authentication using bcrypt Algorithm
with Dynamic Salt Generation
Roman Alex F. Lustro
Isabela State University – City of Ilagan Campus, Philippines
romanalex.f.lustro@isu.edu.ph
Abstract - Usernames and passwords at present remain the
ultimate frequently employed and far and wide recognized
form of identity authentication. The password is one of the best-
applied techniques of authentication. While it is precisely
convenient to perform authentication using passwords, one
thing that needs to be considered is how to store them securely.
The aim of this study is to improve the existing password
hashing scheme by introducing a new mechanism that will
surely provide a more secure hashed password. Based on the
simulated results of the study the proposed mechanism
enhanced existing practice. The proposed scheme increases the
level of security by proliferating the level of encryption. Thus,
making it impossible for an attacker to break the system. Hence
the proposed system is more efficient and has unbreakable
security.
Index terms – data security, cryptography, hashing, salting.
1. Introduction
Password is one of the utmost essential elements of any
conventional security scheme intended to protect sensitive
and confidential information from falling into the wrong
hands. Generating a resilient password is the initial phase
towards safeguarding and protecting confidential user
information [1]. At present, the focus on mitigating risk of
cybercrime were central repositories now referred to as
‘legacy databases’ typically on a web application
authentication. Conventionally, the possibility of the breach
was not anticipated thus passwords are regularly stored in
plaintext [2]. It is claimed that still, a large number of these
legacy databases keep on using and still store authentication
credentials by obsolete and substandard means or plaintext
[3].
According to Erguler [4], passwords must be secured by
compelling appropriate providence and storing with their
hash values enumerated through the salting mechanism. In
addition, it must be tough for an attacker to reverse hashes to
obtain the plaintext password. Ma et al. [5] came up with a
fineness password guide, which necessitates that a strong
password should encompass at least eight characters, three
of which should be special characters. Likewise, there should
be some numbers in the password, too.
The application of hash function in storing passwords gives
the impression to be a secure mechanism. For the reason that,
even if an attacker was able to gain access to the password
database, he or she will not be able to realize the password in
plaintext format. On the other hand, as the computing power
increases exponentially, there have been a number of high
profile circumstances where large social networking sites
had seen their users’ passwords seep out to the public [6].
This is likely to happen because of an attack or technology
known as a rainbow table [7], [8] which is basically a pre-
computed hash value of potential plaintext. Concomitantly,
if the hash values of passwords are seeped out, the attacker
will only need to look up the rainbow table and locate the
equivalent plaintext passwords.
The aim of this paper is to improve the existing practice of
storing password, at present, static salting and hashing [10]
were utilized which is considered to be vulnerable to rainbow
and dictionary attack [11], [7] and [8]. This paper introduces
a random/dynamic salt generation [12] and bcryt [10], [13]
and [14] hashing function that requires specifying a
cost/workfactor in order to generate a password was utilized.
Cost/workfactor was used to generate end hash and makes
the entire process slower thus allows determining how
expensive the hash function is [10]. The use of hashing
function and salt when storing password defends against
dictionary attacks and pre-computed rainbow table attacks
[11]. Salting is the process of adding a user-specific text to
the plain text, before computing the hash.
The rest of the paper is organized as follows. Section 2
reviews some earlier work that is related to this research.
Section 3 describes the proposed system architecture.
Section 4 presents simulation results and discussion. Finally,
the paper ends with some concluding remarks and future
work, captured in Section 5.
2. Review of Related Literature
Maintaining a password by just using a cryptographic hash
function is not enough. A well – known example is that of
LinkedIn [6] when an attacker was able to get hold of the 6.5
million SHA -1 hash values of the passwords in the social
network’s database. In order to perform an attack, the hash
values were performed through a rainbow table and were
able to found its plaintext password equivalent.
Jour of Adv Research in Dynamic & Control Systems. Vol. 11. 12 – Special Issue.2019
DOI: 10.5373/JARDCS/V11SP12/20193330 1241
ISSN 1943-023X 1234
Received: 19 Oct 2019/Accepted: 18 Nov 2019
User and data attributes are utilized in secret key generation
which prevents user attribute leak problem [3]. A salt method
is added into the DCP – ABE – M to make the secret key
stronger and more unbreakable, thus the proposed system
improves the level of security by increasing the level of
encryption. Likewise, to make the password stronger and
more different from other passwords, [15] added a unique
salt value in the password, hence enhances the level of
security and is more efficient compared to the previously
existing schemes.
[16] offer a novel solution for securing authentication
databases for both pre-existing and newly created passwords
that stored on insecure systems by applying the
recommended best practices mechanism in the form of a salt,
one – way encryption and iterations. The proposed holds the
possibility of improving system security, compliance,
privacy, and user protection. Similarly, [12] introduces a
dynamic salt generation and placement for secure password
storing. The way the salt value was used for each password
was unique. As a result, a more secure password technique
was achieved.
Bcrypt is a password hashing scheme that was based on
blowfish block cipher. Despite hardware enhancements, it
was intended to be resilient to brute force attacks and remain
secured [13]. Due to its expensive key set up a user-defined
cost factor setting makes this hash slow while using blowfish
variables random lookups [14].
Related works have been done on the implementation of
bcrypt as a password hashing scheme, [17] presented a novel,
flexible, high – speed implementation of a bcrypt password
search system on a low – power Xilinx Zynq 7020 FPGA.
The design consists of 40 parallel bcrypt cores running at
100MHz. The application of bcrypt leave behind all
presently existing applications and increases password
attacks on the same platform, computing 6,511 passwords
per second for a cost parameter of 5. In addition [18] focuses
on providing security to user’s data by saving encrypted user
data to the database by implementing bcrypt algorithm which
provides a longer encryption key and gives the hashed value
of the user data.
It is essential that a hashing algorithm is not only hard to
reverse engineer but, should also be nearly difficult to find a
collision [19]. Thus, [10] consider a different approach using
distributed processing to compute multiple hashes at a very
high speed, making one of the most widely used hashing
algorithm SHA – 512 seem not that secure after all.
Concomitantly, the approach involves cryptanalyzing
bcrypt, and conclude whether it’s a good alternative.
A salt is a random string of alphanumeric characters that are
added as prefix or suffix to a password before hashing. That
is, instead of hashing just a password h(password) we add a
salt in it expressed as h(salt||password), h(password||salt) or
h(salt||password||salt). If the salt value and its position are
known for an attacker, it is still possible to use the rainbow
table to find the plaintext password. Thus, this paper
proposes for a dynamic salt generation using the php 7
function ramdom_bytes and is hashed using brcypt. In order
to generate passwords, bcrypt requires specifying
cost/workfactor making the entire procedure slower but also
used to generate end hash. Thus, allowing workfactors to
determine how expensive the hash function will be.
Hence it is imperative to safeguard the authentication and
pre-authentication scheme in order to make it more secure.
The proposed application of dynamic salt generation and
bcrypt hashing algorithm will enhance existing data security
and protection practices.
Jour of Adv Research in Dynamic & Control Systems. Vol. 11. 12 – Special Issue.2019
DOI: 10.5373/JARDCS/V11SP12/20193330 1242
ISSN 1943-023X 1234
Received: 19 Oct 2019/Accepted: 18 Nov 2019
3. Proposed System Architecture
This study ameliorates the existing password hashing
scheme by introducing a new mechanism that will surely
provide a more secure hashed password. Figure 1 depicts the
comparison of the existing and proposed application of salt,
hashing, and iterations to the password, in order to maintain
the confidentiality and integrity of credentials. Performance
comparison for two said algorithm was executed in Intel (R)
Core (TM) i5 – 7200U CPU @2.50 GHz 2.70GHz, Installed
memory (RAM): 4.00GB (3.87GB usable), System type: 64
– bit Operating System, x64 – based processor, and 128 Solid
State Disk as the secondary storage.
3.1 Existing Application of Salt and Hashing to
Password
With the existing practice, a static prepend and append salt
is being added to a plaintext. The salted plaintext password
is being hashed using SHA 512 as the hashing function. Salt
is a random string of letters or numbers that are added to the
beginning or the end of a password, before hashing. In other
words, instead of hashing just a password h(password), they
compute h(salt||password). The hashed password is then
stored in the database. Since the application of salt is static
wherein the same salt is being used in each hash, this is
ineffective because if two users have the same password,
then definitely they still have the same hash. Thus, allowing
the attacker to still use a reverse lookup table attack to run a
dictionary attack on every hash at the same time. In addition
to this, as a result, using a salt value as prepend or append of
a password increased the security of the password. However,
with repeated experiments, an attacker could find a fixed
point of the salt placement. Once the position of the salt was
found, the security would be drastically reduced by, again,
the use of the rainbow table [20].
3.2 Proposed Application of Salt, Hashing, and
Iterations to Password
In order to effectively secure password, the input plaintext
password is being salted using php 7 function random_bytes
with 2 parameters (length, booleancrypto_strong).
Random_bytes generate an arbitrary length string that is
suitable for cryptographic use, such as when generating salts,
keys or initialization vectors [21]. After this, the salted
password will be hashed using a hashing function called
bcypt. BCRYPT is currently the security standard for
password hashing [18]. It’s derived from the Blowfish block
cipher which generates the hash, uses lookup tables and is
initiated in memory. This means a certain amount of memory
space needs to be used before a hash can be generated. Once
the salted password has been hashed, it will be rehashed
(iterated) again as recommended [22]. In this paper, the
output has been rehashed to 200 times before storing it in the
database. Likewise, a new random salt is generated each time
a user creates an account or changes their password as
suggested [20]. In contrary to the existing practices which
use a static salt, the proposed scheme utilizes a dynamic salt
generation. With dynamic salt generation, even if two users
have the same password still a different hash will be
generated because of different salt values which make it be
the strength of this study thus able to address the reverse
lookup table for a rainbow table and dictionary attack.
3.3 Proposed Application for Password Verification
In authenticating the integrity of an account, the user will
first key in username and password, the system will check if
the username exists in the database, after which the
password, then it will fetch and store password field in a
variable. The password will be verified using the
password_verify function of php 7 [21] with 2 parameters
(plaintext password and fetched password), then the
password will be verified.
3.4 Comparison between SHA 512 vs BCRYPT
Since SHA 512 is an inherently fast algorithm, it is possible
to compute more hashes in less time and thus bcrypt could
be a feasible alternative to improve security [10]. Based on
the literature reviewed we can say that bcrypt is better with
regard to security as the primary concern of this paper is the
security of the hashed password. Bcrypt has been well vetted
and tested and hence considered the standard for password
hashing taking into consideration its existence for around 14
years [18].
4. Simulation and Discussion
Jour of Adv Research in Dynamic & Control Systems. Vol. 11. 12 – Special Issue.2019
DOI: 10.5373/JARDCS/V11SP12/20193330 1243
ISSN 1943-023X 1234
Received: 19 Oct 2019/Accepted: 18 Nov 2019
Table 1 shows the amount of time it took to hash a password.
The passwords were obtained from [23], [20] which are
considered to be weak and strong passwords respectively. As
reflected, SHA 512 performs faster in hashing passwords
which means that a fast hashing algorithm can be easily
broken. Since the idea is to make the hash function very
slowly, so that even with a fast GPU or custom hardware,
dictionary and brute-force attacks are too slow to be
worthwhile. The objective is to make the hash function
laborious enough to delay attacks, but still hastily sufficient
not to cause an obvious delay for the user [20].
As depicted in Figure 3, by adjusting the cost, the time it
takes to hash a password increases. With faster hardware, by
merely increasing the cost, makes the hash secure thus
abiding Moore’s Law [14].
With static salt generation (see Table 2a), if two users have
the same password then definitely the same hash values will
be provided which is considered to be ineffective as an
attacker can still use a reverse lookup table attack to run a
dictionary attack on every hash at the same time. As
compared to dynamic salt generation (see Table 2b) if two
users have the same password, different hash values will be
generated using php 7 function random_bytes, therefore,
making it be strong and more secured.
4. Conclusion and Future Work
The password is one of the best-applied techniques of
authentication. While it is precisely convenient to perform
authentication using passwords, one thing that needs to be
considered is how to store them securely. This study
improved the existing password hashing scheme by
introducing a new mechanism that provided a more secure
hashed password.
Based on the simulated results the proposed mechanism
performs better than the existing practice. The proposed
system increases the level of security by proliferating the
level of encryption. Thus, making it impossible for an
attacker to break the system.
Tougher security measures could be easily integrated, on the
other hand, improved security may result in latency. There
will be higher demands on system resources because of
increased salt bytes, longer hashing functions, and additional
iterations. Salt concatenation and iterated hashing are critical
in placing large demands on the resources of an attack system
and complicating the reverse engineering process. In theory,
the attacker could spend lengthy periods trying to reverse
engineer these individual strings by way of rainbow table
attack; but this would be impossible, as the inserted strings
were randomly generated.
In the future, the researcher will consider password
stretching during login so as to address shoulder surfing.
References
[1] E. M. W. R. Chowdhury, M. S. Rahman, A. B. M. A. A. Islam and M.
S. Rahman, "Salty Secret: Let us secretly salt the secret," 2017
International Conference on Networking, Systems and Security (NSysS),
Dhaka, 2017, pp. 115-123. doi: 10.1109/NSysS.2017.7885811
[2] J. Graham, J. Hieb and J. Naber, “Improving Cybersecurity for
Industrial Control Systems”, True Secure Scada LLC, J.B Speed School of
Engineering, Louisville, KY, IEEE 25th International Symposium on
Industrial Electronics, IEEE, Santa Clara, CA, 2016
[3] S. Kharod, N. Sharma and A. Sharma, "An improved hashing based
password security scheme using salting and differential masking," 2015
4th International Conference on Reliability, Infocom Technologies and
Jour of Adv Research in Dynamic & Control Systems. Vol. 11. 12 – Special Issue.2019
DOI: 10.5373/JARDCS/V11SP12/20193330 1244
ISSN 1943-023X 1234
Received: 19 Oct 2019/Accepted: 18 Nov 2019
Optimization (ICRITO) (Trends and Future Directions), Noida, 2015, pp.
1-5. doi: 10.1109/ICRITO.2015.7359225
[4] I. Erguler, “Achieving Flatness: Selecting the Honeywords from
Existing Us Passwords” National Research Institute of Electronic &
Cryptography TUBITAK-BILGEM, 41470 Gebze, 2015.
[5] W. Ma, J. Campbell, D. Tran, and D. Kleeman, “Password entropy and
password quality,” in Proceedings of the 4th International Conference on
Network and System Security (NSS), 2010, pp. 583–587.
[6] L. Whitney, “Millions of linkedin passwords reportedly leaked online,”
http: //news.cnet.com/8301 − 10093 − 57448079 −
83/millions−of−linkedin−passwords−reportedly−leaked− online/, accessed
in August 2017.
[7] P. Oechslin, “Making a faster cryptanalytic time-memory trade-off,” in
Proceedings of Advances in Cryptology - CRYPTO 2003, 23rd Annual
International Cryptology Conference, Santa Barbara, California, USA,
2003, pp. 617– 630.
[8] M. Jorgensen, “Distributed rainbow table project,”
https://www.freerainbowtables.com/en/tables2/, accessed in December
2013.
[9] C. (n.d.). Shipping, Moving, Trucking, Cargo | CTSI Logistics
Philippines. Retrieved August 19, 2017, from http://philippines.ctsi-
logistics.com/index.php/about-us/
[10] A. Aggarwal, P. Chaphekar and R. Mandrekar, “Cryptanalysis of
bcrypt and SHA-512 using Distributed Processing over the Cloud,”
International Journal of Computer Applications (0975 – 8887) Volume 128
– No.16, October 2015, pp. 13 – 16.
[11] “Dictionary attacks 101,” https://blog.codinghorror.com/ dictionary-
attacks-101/, [Online; Last accessed on 24-Aug2016].
[12] S. Boonkrong and C. Somboonpattanakit, “Dynamic Salt Generation
and Placement for Secure Password Storing”, IAENG International Journal
of Computer Science, 43:1, IJCS_43_1_04
[13] N. Provos and D. Mazi`eres. “A Future-Adaptable Password
Scheme,” Proceedings of the FREENIX Track: 1999 USENIX Annual
Technical Conference (1999).
[14] K. Malvoni, Solar Designer, and J. Knezovic, “Are Your Passwords
Safe: Energy-Efficient Bcrypt cracking with LowCost Parallel Hardware,”
In 8TH USENIX Workshop on Offensive Technologies (WOOT 14). San
Diego, CA: USENIX Association, AUG. 2014. [ONLINE]. AVAILABLE:
https://www.usenix.org/conference/woot14/workshopprogram/presentation
/malvani
[15] V. Rasal, S. Rasal, A.A. Joseph and N. Joseph, “Amelioration of
Decentralized Cipher Text Policy Attribute Based Encryption with
Mediator technique by adding Salt,” International Journal of Advanced
research in Computer Science, Volume 8, No. 5, May – June 2017.
[16] J. Blue, E. Furey and J. Condell, "A novel approach for secure
identity authentication in legacy database systems," 2017 28th Irish
Signals and Systems Conference (ISSC), Killarney, 2017, pp. 1-6. doi:
10.1109/ISSC.2017.7983624
[17] F. Wiemer and R. Zimmermann, "High-speed implementation of
bcrypt password search using specialpurpose hardware," 2014
International Conference on ReConFigurable Computing and FPGAs
(ReConFig14), Cancun, 2014, pp. 1-6. doi:
10.1109/ReConFig.2014.7032529
[18] P. Sriramya and R. A. Karthika, “Providing Password Security By
Salted Password Hashing Using Bcrypt Algorithm,” ARPN Journal of
Engineering and Applied Sciences VOL. 10, NO. 13, JULY 2015, pp.
5551 – 5556.
[19] L. Zhou and W. Han, “A brief implementation analysis of SHA-1 on
FPGAs, GPUs and Cell Processors”, 2009 International Conference on
Engineering Computation, IEEE, Pages 101-104, May 2009
[20] Salted Password Hashing - Doing it Right. (n.d.). Retrieved August
29, 2017, from https://crackstation.net/hashing-security.htm
[21] Random_bytes. (n.d.). Retrieved August 29, 2017, from
http://php.net/manual/en/function.random-bytes.php
[22] B. Kaliski, “PKCS #5: Password-Based Cryptography Specification
Version 2.0”, IETF, Network Working Group, RFC 2898, 2000
[23] D. Kevin, "The 2013 list f worst passwords,"
http://splashdata.com/press/worstpasswords2013.htm, accessed in January
2014.