Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can I Expose The Hashed Salt + Password?

I am using a SHA-512 hash 1000 times on a salt + password. Is it safe to return that when querying information about a user or should I secure it and make it available only over HTTPS?

For example, if I make the following request:

GET: http://domain.com/users?id=437

and it returns:

{"firstName":"Eliot","lastName":"My last name","email":"[email protected]","password":[91,49,-34,77,79,-48,67,-62,-12,84,84,-18,-81,23,-92,-31,74,-28,-80,102,60,35,-102,115,18,-76,20,-90,-8,91,13,23],"authToken":"33c977b1-5ab6-4a8a-8da9-68c8028eff92","id":179}

does it matter that it is made public?

like image 855
eliot Avatar asked Apr 03 '13 01:04

eliot


People also ask

Can salted and hashed passwords be decrypted?

Assuming the salt is very long, not knowing the salt would make it nearly impossible to decrypt hash password with salt(due to the additional length that the salt adds to the password), but you still have to brute force even if you do know the salt.

Can a hashed and salted password be cracked?

They can be made less effective, but there isn't a way to prevent them altogether. If your password hashing system is secure, the only way to crack the hashes will be to run a dictionary or brute-force attack on each hash.

Can you hack a hashed password?

However, when a hacker steals hashed passwords in a database, they can reverse engineer the hashes to get the real passwords by using a database of words they think might be the password. If any of the hashes match what the hacker has in the database, they now know the original password.

Can hashed passwords be decrypted?

Instead, passwords are “hashed”, or transformed with a one-way function. The result of the transformation, if one is performed correctly, cannot be reversed, and the original password cannot be “decrypted” from the result of a hash function.


1 Answers

Why would you ever return a user's password in response to any public-facing query? It doesn't matter what form the password is returned in -- this is fundamentally insecure!

Passwords can be cracked. Given a hash and knowledge of how the hash was constructed, you can bruteforce the relevant parameters. Even though it takes 1000 times longer, and the salt might have to be bruteforced (if not included in the query response), the possibility still exists (and someone patient enough, with the right resources, might just do it if the value was high enough). Don't take the risk -- just don't disclose the password in any form.

like image 162
nneonneo Avatar answered Sep 23 '22 16:09

nneonneo