Hash Value Security Improvement of PCS Password using Signed Binary Operation

Convenience and security have always been inversely related requirements in data protection systems. Users want a short and simple password that is easy to remember. On the other hand, the system that is widely used in securing user data, especially passwords, is using a one-way message digest. In addition, users are also required to use complex passwords through a combination of letters, numbers, and symbols. It aims to increase security but a complex password will make it difficult for users to remember their passwords. Even though a complex password does not necessarily make it secure because it's still on a PCS which is vulnerable to hacking. Moreover, in the current development of cybersecurity science where password hacking systems are very easy to obtain and can be used by anyone to find hash value of password on PCS quickly. A preliminary test that has been carried out proves that even complex passwords can be hacked easily. This study proposes the use of a code extension system for passwords before the hashing process is carried out through two simple schemes C1 and C2 through bitwise xor and addition operators respectively. The code from the password data is mapped out of PCS by using a unique value of data. Experimental results show that the C1 scheme is able to thwart hacking attempts by 80%, while C2 is able to increase the security of alphanumeric passwords by up to 90%. The proposed method is able to make a simple but strong password system.


Introduction
Data security system using hashing encryption has become a major requirement in maintaining confidentiality, especially for user password data in a database.The popular algorithms used today are Message Digest (MD) and Secure Hash Algorithm (SHA) which are able to map a string into a hash value of a certain length.This method is one-way where the hash value cannot be decrypted, so that the password data cannot be known by anyone including the system owner.In general, users are required to use a long password using a combination of capital letters, numbers, and symbols to strengthen the security system [1].On the other hand the use of such passwords will make it difficult for users to remember their passwords [2].
In fact, a security system with hashing and using complex passwords does not guarantee data security.The password entered by the user will still be in the Printed Character Set (PCS) which has a very limited number of characters that would be easy to crack through a password guessing such as Hashcat [3], [4] which are easily available on the internet.The password guessing method has 3 categories, namely brute force, dictionary and rainbow table [5].Brute force is the method with the lowest effort from the people's point of view.The third party just needs to create a simple program to try all possible password protecting data until he gets the correct password to unlock the data encryption.Another scheme called a dictionary attack, is almost similar to brute force, but a dictionary attack uses the help of a dictionary that contains a collection of words that are likely to be the password being searched for.
Many studies have explained the dangers of hash-solving systems such as Hashcat because it can be widely applied such as open source website, instant messaging applications [6], smart phone devices [7], cryptographic currency accounts [8] which can be done in a distributed manner [9].Research on intelligent password cracking systems is also continuously being developed [10] which is supported by the speed of computer devices that will continue to increase twice every couple years.Brute force systems such as Hashcat use Printable Character Sets (PCS) as the main target in finding the hash value of data with low entropy values efficiently, it can even be done using only desktop or laptop computers that are widely owned most of people.Therefore, this article proposes the use of a pre-hash coding system by utilizing a unique id (UID) to encode the data before the hash process is carried out on the database.The purpose of using the system is to turn the data out of the PCS value so that it can increase the entropy value and can reduce the success rate of the brute force system on Hashcat significantly in low computational cost.

Password Security
Hashcat is one of wordlist based password guessing tools [11] which exploit both CPU and GPU [12].It has a lot of hash mode operation to find the correct hash value of data and can be operated using a brute-force mode to find the uncommon or unusual password in PCS.Generally there are 15 type of pattern in password [12] which has different security level as shown in Table 1.Users can only use these patterns for their password.Even though the patterns are on the PCS which can be solved easily.Hashcat has 5-character sets that can be used to solve 15 existing password patterns through brute force mode as shown in Table 2. Hashcat is intended to help users to find their password when they forget their password and to test the security system that is being developed.However, it is mostly used by third parties to hack passwords stored in databases.This is usually done for malicious purposes such as personal data theft or another purpose such as learn or practice hacking.Hashcat has tremendous benefits as well as a very dangerous threat.System owners can't necessarily block it for security purposes because they also need it for system testing.The best solution is to take advantage of the unique value of each data stored in the database.A Unique value is generally used to find data index in database.This paper proposes using this value to prevent data hacking which will discuss in the next section.

The Proposed Method
This paper proposes a scheme to improve security of password data through a hash coding system with a UID value before the data is stored in the database as shown in Figure 1.The coding is done to map the PCS which have 95 values into Extended Character Set (ECS) within 256 values in 8-bit as follows: 1. Determination of the value of the initial number (seed) s that can be taken from the unique value of each user 2. Get the character length n from data/plaintext P 3. Generation of unique U code along n 4. Data encoding to get the C pre-hash code value with 2 alternatives as follows: The hash coding models in equations ( 1) and ( 2) are carried out through the bitwise xor operator and the addition mathematical operator respectively to the unique value U.Both coding systems have a low order so that they are able to map values to a maximum range of 8-bit values within low computational process and data storage.The encoded data will then be stored in an MD5 encrypted database.The security level test will be carried out using a brute-force attack with Hashcat on the P and C values and then compare the results to calculate the success rate of the proposed model.In addition, a comparison of the processing speed of the two variables will also be carried out to ensure that the proposed model is able to run fast.

Results and Discussion
In the case of data hacking, hackers or sniffer generally copy the encrypted database through data stream or data sniffing and then perform the hack on the local device.This is done because it is almost impossible to do it directly into online systems that have been tightly protected, including firewalls and captcha.This research was conducted with a mid-end device with following specifications: -Type : MSI GL62M 7RDX -Processor : Core(TM) i7-7700HQ CPU @2.80GHz -GPU : GTX 1050 -RAM : 4GB DDR4 @2400MHz -OS : Windows 10 Education 20H2 The first experiment is conducted to show the capability of Hashcat in term of cracking hash value of random password using pattern 15 which is mostly used in password requirement and considered as the strongest pattern today.Table 3 shows that all of passwords were cracked with the fastest time of 3.84 seconds, the slowest time was 9.03 seconds, and the average time was 5.92 seconds.The set of A requires large resources and slower computing times up to 3 times when compared to the LUD.However, the average time it takes to solve the hash value of a password is very short.This proves that the use of combinations of letters and numbers does not guarantee the security of data.The next experiment was conducted to compare the performance of the C1 and C2 models in securing passwords.Table 4 shows the experiment result using 10 samples of password which has 5 character long.There are two samples that can be cracked and they are in alphanumeric character.Meanwhile the sample which include symbol tend to be secure.The use of bitwise xor operations with unique values will further map 6-bit values to 8-bit values.The use of a pre-hash system with bitwise xor operators will work better for passwords that include symbol characters.This is because 66% of symbol characters are in the 6-bit range while in alphanumeric characters only 15% are in that range.In the second scheme, the test is done using a mathematical operator addition with equations (2) and obtained a better result as shown in Table 5.There is only one sample that can be cracked and it is symbol character while the entire sample with alphanumeric are failed to crack.This is in accordance with the workings of the addition operator to a unique value where the value in the 6-bit range will be more mapped to the 7-bit range that is still on the PCS while the value in the 7-bit range will be more mapped to 8-bit which is outside the PCS.85% of alphanumeric characters are in the 7-bit range while in symbol characters only 33% of values are in that range.The comparison results of the two proposed methods are in Figure 2. shows that the performance of C2 is outperform C1.The test results also show that the threshold value between cracked and failed is in the range of 8.22 to 8.84 with an average time of 8.53.Generating a hash value that is longer than 8.5 seconds indicates that the value is approaching the initial limit of the ECS so that it has tend to be failure.The last test was carried out to ensure the capability of the proposed method on longer password samples as shown in the Table 6.It is shows that one of alphanumeric and two samples with symbol are cracked.This result is in line with the previous test where C2 scheme can work better on alphanumeric passwords.A significant difference occurs in the processing time where a sample with 5 characters can be cracked in less than 10 seconds while for 6 characters it takes about 5 minutes.

Conclusion
Most of the user need a password that short and easy to remember.Meanwhile the system requirement forces the users to create a complex password for security reason.Even though complex passwords are not necessarily able to overcome current threats which often happens because it is easy to get a password guessing tool on the internet.This paper proposes a method that able to improve the security of short password.The password is mapped using the unique value outside the PCS, so it will be more difficult to crack.The experiment result shows that the proposed scheme C1 is able to improve the password security by 80% while scheme C2 successfully thwarted hacking on alphanumeric characters by 90%.The alphanumeric characters are used mostly current password because they are easy to remember.The experiments result shows that the proposed method is able to make a short and simple password more secure.

Figure 1
Figure 1 The Proposed Scheme

Table 3
Test Result on Pattern 15

Table 4
Test Result on Proposed Scheme C1

Table 5
Test Result on Proposed Scheme C2

Table 6 Test
Result on Proposed Scheme C2 using 6 Character Set