[MUSIC] Hi there. In this lesson, we're going to talk about the third issue, which is improperly storing passwords. We're going to quickly talk about a real life example. And then I'm going to introduce how brute forcing passwords work, and some mitigations that you can apply in order to mitigate this issue. At the end of this lesson, you will be able to explain how password brute forcing works and describe some ways to mitigate the issue. Let's dive in. One real life example is one from 2017. The data was available but the breach that actually happened was around 2015. This happened to a Czech online shopping gallery called Mall. They were initially using some outdated and insecure password hashing schemes, for example, MD5 salted with SHA-1. Until about October 2016, then in October 2016 they switched over to bcrypt. Which is good, but most of the passwords that were involved in the leak was from when they were using MD5 as the hashing algorithm. Now, one way that the web application developer could store passwords that are not in plain text is the following example. But please note that this example is not secure, this is just to show you what one think that can be tried. But that is not really secure. So in this example, the web application would take in the user name of beebo, and this password of %iam$am. And the password is then put through a cryptographic hash function. For example, SHA-256. So a cryptographic hash function is secure in that when you have some plain text input into this hash function, the output that is generated can't be computed to get the plain text back. So you can't go backwards from the hash output. So with that said, that's why it's called one way. Now, the output of this harsh function is what is stored in the database along with the username. So at no point in time is a plan text pass code ever stored, so that's a good try. So what attackers can do is steal the database, but they only have the hash of the passwords for each username. In essence the idea is to store the password information but not the actual plain text password. That is key, and that's the idea. However, one thing that the attacker can do once they have stolen this database is to use a word list, so a very large list of possible words that people tend to use. And they take this word list, and they perform the same one-way hash function computation on each of the words in this word list. And once they have the hash, they can check to see if they have a hash that matches in the database that they have just stolen. If they do have a match, then they know that they have the right plaintext password, which is located in the word list. An attacker can also perform password brute force calculations. So what they would do is to try every combination of characters up to a certain length and perform the hash for each try. And then compare the hash calculation with what they have in their stolen database. So that's what password brute force looks like in general. Attackers can have really strong beefy hardware, GPUs to perform these calculations. So based on the previous example, furthermore, if for example two users have the same password, then that means then the same hash is stored at least twice. So if two users have the same password then two hashes are the same, and that's stored in the database. So then that means the attacker has a higher chance of knowing what the actual password is. But for our next video we can do things to mitigate this. I alluded to this earlier when I mentioned the term salt. So we will talk about how to use that in the next video. So here are some general prevention strategies for when you develop your web application. What you can do is to use some salt and use specific hash functions that slow down password brute force attempts. I will get to what that means in the next video. You can also set up your web application to use 2-Factor Authentication. So that your users don't need to just rely on a password to identify themselves in the web application. And also, one other thing that's very simple is to create a generic user message when the password attempt is incorrect. So that's harder for an attacker to determine whether it was an issue of a username being incorrect or a password was incorrect. So they won't be able to determine that. So in summary, we talked about issues with improperly storing passwords, and I mentioned one real life example of what has happened. And I mentioned a very brief introduction on how password brute-force attempts work. And I also mentioned some things you can do to mitigate this issue. That's it for now, thanks for listening.