Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can I Expose The Hashed Salt + Password?

Tags:

security

passwords

public

hash

salt

I am using a SHA-512 hash 1000 times on a salt + password. Is it safe to return that when querying information about a user or should I secure it and make it available only over HTTPS?

For example, if I make the following request:

GET: http://domain.com/users?id=437

and it returns:

{"firstName":"Eliot","lastName":"My last name","email":"[email protected]","password":[91,49,-34,77,79,-48,67,-62,-12,84,84,-18,-81,23,-92,-31,74,-28,-80,102,60,35,-102,115,18,-76,20,-90,-8,91,13,23],"authToken":"33c977b1-5ab6-4a8a-8da9-68c8028eff92","id":179}

does it matter that it is made public?

like image 855
eliot Avatar asked Apr 03 '13 01:04

eliot

People also ask

Can salted and hashed passwords be decrypted?

Assuming the salt is very long, not knowing the salt would make it nearly impossible to decrypt hash password with salt(due to the additional length that the salt adds to the password), but you still have to brute force even if you do know the salt.

Can a hashed and salted password be cracked?

They can be made less effective, but there isn't a way to prevent them altogether. If your password hashing system is secure, the only way to crack the hashes will be to run a dictionary or brute-force attack on each hash.

Can you hack a hashed password?

However, when a hacker steals hashed passwords in a database, they can reverse engineer the hashes to get the real passwords by using a database of words they think might be the password. If any of the hashes match what the hacker has in the database, they now know the original password.

Can hashed passwords be decrypted?

Instead, passwords are “hashed”, or transformed with a one-way function. The result of the transformation, if one is performed correctly, cannot be reversed, and the original password cannot be “decrypted” from the result of a hash function.

1 Answers

Why would you ever return a user's password in response to any public-facing query? It doesn't matter what form the password is returned in -- this is fundamentally insecure!

Passwords can be cracked. Given a hash and knowledge of how the hash was constructed, you can bruteforce the relevant parameters. Even though it takes 1000 times longer, and the salt might have to be bruteforced (if not included in the query response), the possibility still exists (and someone patient enough, with the right resources, might just do it if the value was high enough). Don't take the risk -- just don't disclose the password in any form.

like image 162
nneonneo Avatar answered Sep 23 '22 16:09

nneonneo
Sign in to Comment

Related questions

Handling App Transport Security (kCFStreamErrorDomainSSL, -9802)
Rails 5 - Can anyone explain how generating a URL from non-sanitized request parameters is unsafe?
Electron: How to securely inject global variable into BrowserWindow / BrowserView?
As a ASP.NET programmer, do I need to be concerned about email injection attacks?
CSRF Validation Token: session id safe?
Access own bank account via self-written application
CryptographicException intermittently occurs when encrypting/decrypting with RSA
Extending Type Safety to prevent dirty data coming from being used against functions that require "clean" data [closed]
Sanitize contact form without mysql_real_escape_string
How secure is 64-bit RC2?
Code Access Security is a joke?
Large scale internet application, where to start?
PHP script protection
Is chmod 757 safe?
Session injection?
Is there any security benefit to encrypting session variables? [closed]
where is the security in PHP 5.4 by removing safe_mode
This jar contains entries whose signer certificate will expire within six months
Prevent browsers from auto-filling form fields
Compile-time / Post-Build Dependency Injection IoC?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!