Mechanism of Password Hiding in QuizGenerator(beta)

In this article, we will introduce how we keep passwords secret in learningBOX.

Login authentication is a common password

Not only e-learning systems, but also many other systems that require users to log in use passwords for login authentication. Some financial institutions use authentication systems that do not rely on passwords, such as "one-time password generators" or "email or SMS authentication for each login". Some of our e-learning systems use handwriting recognition. However, these authentication methods are still not widely used, and learningBOX still uses password-based login authentication.

Password confidentiality (protection) is an important issue

There are three ways to compromise passwords: attacks on user terminals, interception of communications, and attacks on servers.

Attacks on user terminals

The attack on the user terminal is calledInfection with computer viruses, etc." and "Leads to a phishing site"If you have a computer virus, there is a risk that your password will be stolen when you try to log in to a legitimate site. If you are infected with a computer virus, there is a risk that your password will be stolen when you try to log in to a legitimate website. In addition, even if you are not infected with a computer virus, there is a danger that you will be led to a phishing site (fake site) by e-mail and be forced to enter your ID and password.

Interception of communications

Interception of communication means that a third party between your computer or smartphone and our server can steal your password.SSLThis technology is used to encrypt the communication between the customer and our server to prevent the leakage of passwords due to interception of communication.

Attacking the Server

There are various types of attacks on servers: SQL injection attacks, attacks that exploit vulnerabilities in server software, intrusion of suspicious persons into data centers, fraud in data centers, and various other risks. In learningBOX, passwords are "hashed" with salt and then "stretched" to keep them secret. In this way, even the learningBOX management team cannot know what kind of password is set, let alone an attacker, and thus password leaks can be prevented.

hash

It is a one-way function. When the input password is passed through a hash function, a seemingly random value is output. This is called a hash value. It is easy to find the hash value from the original value, but it is not possible to calculate the original value from the hash value. In the system developed around 2000, there were some systems that stored md5 or sha1 hash, but in 2017, hashing alone is not enough to keep the password secret.

However, it may be possible to guess the original value from the hash value by obtaining the hash value of any possible password in advance and creating a reverse dictionary. Especially, if the password is made of alphanumeric characters up to 8 digits, it can be guessed at a realistic cost. In addition, using advanced attacks such as rainbow tables, it may be possible to reduce the time required for guessing by an order of magnitude.

stretch

The hashing is repeated. For example, by hashing the password 1024 times, the time to crack the password can be stretched to 1024 times. Of course, if the computer is 1024 times faster, the password can be decoded in the same time, but with proper stretching, the time to decode the password can be dramatically increased.

salt

Even if it is hashed and stretched, the same password will be the same value. If the same hash value is registered more than once, it will be known that a "common password" is used. By adding salt (random string) before and after the password before hashing, the same password becomes different hash value, and it becomes difficult to guess the original password. In addition, although it is not explained in detail, the addition of salt makes the password longer, which makes the deciphering of the password by the rainbow table extremely difficult.

Summary

In learningBOX, passwords are kept secret by not storing them. In addition, we take all possible measures to prevent people from guessing the original password when keeping passwords secret. However, if you set a "simple" password such as "12345678" or "password", the risk of unauthorized access increases, so please set your password appropriately.

Future tasks

We are considering restricting the ability to set "easy" passwords such as "12345678" and "password". In addition, we will incorporate the latest security technology, such as thorough monitoring for "suspicious" access.