Menu
I am using a SHA-512 hash 1000 times on a salt + password. Is it safe to return that when querying information about a user or should I secure it and make it available only over HTTPS?
For example, if I make the following request:
GET: http://domain.com/users?id=437
and it returns:
{"firstName":"Eliot","lastName":"My last name","email":"[email protected]","password":[91,49,-34,77,79,-48,67,-62,-12,84,84,-18,-81,23,-92,-31,74,-28,-80,102,60,35,-102,115,18,-76,20,-90,-8,91,13,23],"authToken":"33c977b1-5ab6-4a8a-8da9-68c8028eff92","id":179}
does it matter that it is made public?
855
Assuming the salt is very long, not knowing the salt would make it nearly impossible to decrypt hash password with salt(due to the additional length that the salt adds to the password), but you still have to brute force even if you do know the salt.
They can be made less effective, but there isn't a way to prevent them altogether. If your password hashing system is secure, the only way to crack the hashes will be to run a dictionary or brute-force attack on each hash.
However, when a hacker steals hashed passwords in a database, they can reverse engineer the hashes to get the real passwords by using a database of words they think might be the password. If any of the hashes match what the hacker has in the database, they now know the original password.
Instead, passwords are “hashed”, or transformed with a one-way function. The result of the transformation, if one is performed correctly, cannot be reversed, and the original password cannot be “decrypted” from the result of a hash function.
Why would you ever return a user's password in response to any public-facing query? It doesn't matter what form the password is returned in -- this is fundamentally insecure!
Passwords can be cracked. Given a hash and knowledge of how the hash was constructed, you can bruteforce the relevant parameters. Even though it takes 1000 times longer, and the salt might have to be bruteforced (if not included in the query response), the possibility still exists (and someone patient enough, with the right resources, might just do it if the value was high enough). Don't take the risk -- just don't disclose the password in any form.
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
