How Does Craft CMS Save Passwords?

Password Security in Craft CMS

Overview of Password Security Challenges

Password security is a critical concern for any website or application. Recent years have seen staggering numbers of major password breaches, with billions of passwords exposed. The 2020 Verizon Data Breach Investigations Report found that over 80% of hacking-related breaches involved brute force or the use of lost or stolen credentials. Weak and reused passwords are prime targets for attackers. The UK's National Cyber Security Centre reports that 23.2 million victims worldwide reused passwords in breached databases available to cyber criminals. With enough compromised passwords in hand, hackers can gain access to countless other accounts.

Proper password security is clearly essential. But many web developers fail to implement adequate protections, leaving user passwords vulnerable to interception and cracking. This is where Craft CMS shines in its approach to password security.

Role of Password Hashing and Encryption

To secure stored passwords, Craft CMS relies on industry-standard password hashing and encryption. When a user creates an account, their password is run through a hashing algorithm using a randomly generated salt.

This produces a unique hash value that cannot be reverse engineered back into the original password. Even if hackers steal the password database, all they have are indecipherable hashes. Proper hashing algorithms are designed to be one-way functions, far too slow and resource intensive to brute force guess.

Craft CMS uses the robust bcrypt algorithm for password hashing by default. Bcrypt applies multiple rounds of encryption to hashes, adjustable to ramp up computing difficulty. The added salt generates a unique hash for each password, even if multiple users have the same passwords. This thwarts precomputed "rainbow table" attacks common with plain password storage.

With its password security approach, Craft CMS ensures login credentials are robustly protected at rest. The hashed and salted passwords offer no value to infiltrators. Further, Craft CMS provides settings to enforce password complexity rules and expiration. This promotes users to regularly cycle to new, stronger passwords. Together, these measures represent industry best practices for securing user passwords against modern threats. Here's a guide to the Craft CMS login security plugin. 

Understanding Password Hashing and Encryption

Difference Between Hashing and Encryption

While both are used to secure data, hashing and encryption employ different methods. Encryption is a two-way function that transforms plaintext into ciphertext using a key or algorithm, allowing the process to be reversed with the proper key. It is designed to protect confidentiality of data in transit or storage.

Hashing, on the other hand, is a one-way function that cannot be decrypted back to the original input. A hash takes data of arbitrary size and calculates a fixed-length hash value or digest. With the same input, the same hash output will always be produced. But the hash provides no means to work backwards to the original data. This makes hashing ideal for cryptographically securing passwords.

When a user creates a password, the password is fed through a hashing algorithm, generating a unique hash value. Only this hash is then stored, not the actual password. During login the entered password is re-hashed and the resulting hash compared to the stored one. If they match, the password is verified as correct without the actual password ever being stored or revealed.

Introduction to Cryptographic Hash Functions

Hash functions are fundamental to modern cryptography. A cryptographic hash takes input data, applies complex mathematical transformations, and outputs a fixed-length hash value.

Well-designed hash functions have several key characteristics:

• Deterministic - the same input always produces the same hash output

• One-way function - infeasible to reverse the hashing process

• Collision resistance - very hard to find two different inputs with the same hash

• Avalanche effect - small changes in input lead to drastic changes in output

Popular cryptographic hash functions include MD5, SHA-1, and SHA-256. The SHA (Secure Hash Algorithm) family published by NIST is widely used today. SHA-256 outputs a 256-bit (32 byte) hash value and achieves a very high security margin.

Hash functions enable establishing data integrity. If input data changes even slightly, the resulting hash will be entirely different. By comparing hashes, one can verify whether data has been altered or tampered with. This is why hashes are used with digital signatures and file verification.

Overview of Password Salt Generation

In password security, randomly generated salts strengthen protection. A salt is appended to the original password before hashing to create a unique input. Because salts are random, the same password will hash differently each time.

Salts force attackers to generate hashes for each password guess, rather than precomputing hash tables or rainbow tables. This greatly slows brute force attempts. Proper salt generation relies on a cryptographically-secure random number generator with high entropy.

Salts are usually stored alongside password hashes. This allows verification by extracting the salt, adding it to the entered password, then hashing and comparing. A new random salt is created whenever a user changes their password.

The salt and hash approach prevents scenarios where many user passwords might hash identically. Even simple or common passwords will have unique secure hashes. Overall, salting represents a critical technique for maximizing password security.

How Craft CMS Secures Passwords with Hashing

Benefits of Using bcrypt for Password Hashing

Craft CMS utilizes the bcrypt algorithm for secure password hashing. Bcrypt is considered an industry standard for password storage and represents best practices in cryptography. It was designed specifically for hashing passwords by Niels Provos and David Mazières based on the Blowfish cipher.

Some key advantages of bcrypt that make it ideal for password hashing:

• Slow hash computation - Uses key strengthening to impose a deliberately high workload, deterring brute force attacks. This workload can be customized by adjusting the number of rounds.

• Salted hashing - Generates a random salt per password to produce unique hash outputs, even for identical passwords. This stymies precomputed hash attacks.

• Cryptographically secure - Bcrypt relies on the robust Blowfish cipher and is not vulnerable to mathematical weaknesses. The strong random salts also maximize security.

• Open algorithm - Bcrypt is open source rather than proprietary, allowing transparency and community review. The lack of secrecy enhances confidence in its design.

By leveraging bcrypt, Craft CMS implements password security according to industry best practices and standards. The algorithm's qualities make bcrypt highly formidable against modern password cracking attempts.

Details of bcrypt Password Salting and Hashing

When a user creates or changes their password in Craft CMS, bcrypt is applied with salting and key strengthening to generate a secure hash. Here is an overview of how it works:

First, a 192-bit random salt is generated using a cryptographically-secure random number generator. This salt is then concatenated with the user's plaintext password.

Next, the salted password is fed into the bcrypt key derivation function. An initial hash value is computed using the Blowfish cipher.

The output hash is then reused as input and hashed repeatedly, in a process known as key strengthening or key stretching. Craft CMS applies 60 rounds of hashing by default but this can be configured higher if needed.

Finally, the final hash output is saved along with the randomly generated salt. Only this hash and salt are stored, not the original plaintext password.

On login, the entered password is concatenated with the saved salt, run through the same bcrypt hashing process, and the hashes compared to authenticate the user.

Comparing bcrypt to Other Hashing Algorithms

The bcrypt algorithm has several advantages over other common hashing functions like MD5 and SHA-1 when it comes to password security.

MD5 and SHA-1 were designed for speed and efficiency. But this makes them vulnerable to brute force attacks using hash tables and rainbow tables. Bcrypt deliberately slows down hashing to hinder guessing attempts.

Also, MD5 and SHA-1 produce fixed-length hashes regardless of the input. So all passwords hash to hashes of the same size. With bcrypt, the use of salts and key strengthening result in variable length hash outputs.

While MD5 is now considered completely insecure for password storage, SHA-1 is also showing its age. Neither employ salting or key strengthening. Bcrypt remains the gold standard, with no successful attacks demonstrated thus far. For optimal security, web developers should implement bcrypt rather than outdated hashing algorithms.

Best Practices for Password Security in Craft CMS

Guidelines for Strong User Passwords

While Craft CMS provides robust password security behind the scenes, users still need to choose strong passwords for maximum protection. Here are some tips for creating complex, secure passwords that resist cracking:

• Use 12+ characters - Longer passwords require trying more combinations. Short passwords can be brute forced easily.

• Include uppercase, lowercase, numbers, symbols - Using all character types expands the potential pool dramatically versus just lowercase letters.

• Avoid common words, names, dates - These make passwords too easy to guess through dictionary attacks.

• Don't use patterns like qwerty123 - Predictable patterns won't withstand automated hacking attempts.

• Avoid personal info and reuse - Information like names, dates, pets, etc. should be avoided. Also never reuse the same password across accounts, as breaches spread.

• Consider passphrases - Multiple random words joined together can create memorable and highly complex passwords.

• Use a password manager - Tools like LastPass and 1Password generate and store unique, robust passwords for each service.

With strong master passwords and proper management, users can develop much more secure passwords that integrate seamlessly into Craft's hashed storage.

Enabling Two-Factor Authentication in Craft CMS

An added layer of security for Craft CMS accounts is to enable two-factor authentication (2FA). 2FA requires providing two forms of identity verification - a password plus an additional code or token. This makes it much harder for intruders to access accounts.

Craft allows enabling 2FA for both the admin account as well as regular user accounts. To set up 2FA:

1. Install a compatible 2FA plugin such as Google Authenticator or Authy.

2. Go to Settings > My Account and check the 2FA checkbox.

3. Configure your preferred 2FA method by scanning a QR code or entering a secret key.

4. Optional: For users, enable 2FA under Settings > Users > [User] > 2FA.

With 2FA active, logging into Craft will require entering both your password and current 2FA code from your authentication app or security key. While an extra step, 2FA provides substantial additional protection to user accounts and the CMS.

Importance of Regular Security Maintenance

Like any web platform, it is critical to keep Craft CMS and all Craft CMS plugins updated to receive the latest security enhancements. New vulnerabilities are frequently uncovered, so prompt patching is essential.

Craft makes updating easy through auto-update checks and one-click updates for both the core platform and Craft CMS plugins. Enable auto-updates under Settings > General to automate the process.

Also be sure to review plugin ratings and reports of vulnerabilities before installing third-party plugins. When feasible, opt for well-supported plugins from established developers.

Regularly maintaining and patching Craft CMS hardens it against emerging threats and zero-day attacks. For optimal security, admins should develop consistent update workflows to incorporate fixes as soon as they become available.