Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does hashing and salting passwords make the application secure?

As much as I understand it is a good idea to keep passwords secret from the site administrator himself because he could try to take a user's email and log into his mailbox using the same password (since many users use the same password everywhere).

Beyond that I do not see the point. I know it makes more difficult the dictionary attack but... if someone unauthorized got into the database, isn't it too late to worry about passwords? The guy has now access to all tables in the database and in a position to take all the data and do whatever he wants.

Or am I missing something?

like image 943
User Avatar asked Nov 28 '22 00:11

User


2 Answers

The bigger problem is that people tend to use the same password everywhere. So if you obtain a database of usernames and unsalted passwords, chances are good they might work elsewhere, like hotmail, gmail etc.

like image 68
Paul Dixon Avatar answered Dec 06 '22 17:12

Paul Dixon


The guy might be in a position to do everything he/she wants to your system, but you shouldn't allow him/her to do anything with other systems (by using your users' passwords).

Password is a property of your users. You should keep it safely.

like image 27
mmx Avatar answered Dec 06 '22 17:12

mmx