IS SHA-256 A GOOD OR BAD ALGORITHM

OVERVIEW:

SHA-256 is one of the most secure hashing functions on the market but still it has some drawbacks. The US government requires its agencies to protect certain sensitive information using  SHA-256. But as far as drawbacks are concerned, we can’t deny the reality that SHA-256 is moderately a vulnerable approach to store passwords. However, it is viewed as practically difficult to “crack”. This means it is almost impossible to recover the plaintext with the help of the hash.  The exact details of how SHA-256 works are classified but the thing that we can say with all certainty is that it is built with a Merkle-Damgård structure derived from a one-way compression function which in turn has been created with the Davies–Meyer Hash Function from a specialized block cipher.

SHA-256 A PROTECTED ALGORITHM:

Three properties make SHA-256, a protected algorithm. First, it is practically difficult to reconstruct the initial data from the given hash value. Thus, to decode the initial information, a brute-force attack is needed which makes 2²⁵⁶ attempts to generate the required information. 2²⁵⁶ possible hash values are as same as the number of atoms in the whole universe, the probability of two being the equivalent is imperceptibly and incomprehensibly low. Also, if there is a collision that means two messages are present with the same hash, it is extremely far-fetched. Thus, a minor change to the original data alters the hash value so much that it is not apparent the new hash value is derived from similar data. This is known as the torrential slide or avalanche effect.

DRAWBACKS OF SHA-256:

A good hashing algorithm must oppose all attempts done to crack it. If it cannot prevent the attack completely then it should at least hold the attacker for a bit longer timespan. The certain reason that SHA-256 is poor to use for passwords, particularly without salt, is because it is inexpensive to compute or process. In this way, it is more helpless against Brute Force attacks, rainbow tables, and so forth. You will not have the alternative to break the hash you have been provided with. It is not a secure algorithm for password hashing. Neither SHA-512 is. Pay little concern towards, how extraordinary it has been salted. Why is it so? Although both can be handled in the billions per second with specific hardware. If you are flabbergasted to hear that, then you should continue to examine the facts below.

KEY FEATURES OF A GOOD HASHING ALGORITHM:

Password hashing is the last guard for safety in the technology world. Its solitary purpose is to keep the hacker from overseeing a client’s data when all other measures of security measures have failed. This usually intends to prevent the hacker from using the undermined or breached data to get the client’s information on various other sites, which could be caused by the repetitive usage of the same password by the client. Since the hacker has full control over the user’s raw data thus there is no way to forestall the Brute Force attack. No doubt some measures can be taken to delay the assault and risk its practicality. But for a good hashing algorithm, it is mandatory to eliminate even the smallest possible probability of an easy route to crack it. Though it cannot bypass the Brute Force attack and leaves it as the only vulnerability towards cracking but at the same time must work efficiently to delay the cracking process.

CONCLUSION:

A good password hashing is much more than just salting (adding some secret code words at the end) the password. In pragmatic terms, this is pretty much terrible as using MD5. The right approach for password hashing is not much convoluted or difficult, but it’s far better to avoid it altogether. Undoubtedly, there is the choice of deferring the safety of passwords to the 3^rd party by utilizing sign-on alternatives from trusted authorities like Google, Facebook, or Twitter. If in case you want to do it on your own you have to consider the key ingredients for a good hashing algorithm, also you must use a key derivation algorithm in a mix with a random salt per client and stick with the local execution. Try not to attempt, making your own algorithms as you will end up getting it wrong along with the hashing function which can easily be parallelized with the help of CPU and possibly exacerbate it. So, wrapping things up you ought to consistently urge your clients to pick strong and unique passwords and not to use them again and again on different login sites.