Menu
I am developing a web application in Java and I want to make the authentication process secure
by using hashed passwords.
In hashing
step-1 : we take the password given by the user and add a salt to it.
step-2 : hash it using MessageDigest and store the hashed value in database
While authenticating a user during login process we repeat both the same steps above, but instead of
storing the hashed value we compare it with the value present in database.
Now forgive my ignorance but what I want to say is if a hacker gets access to the database by any other
means, then it can provide security as the hacker cannot get the real text of password from the hashed
value so easily.
BUT how can it provide security against other forms of attacks like Bruteforce attack, Rainbow attack, dictionary attack etc. as we use the same steps to authenticate the user for login?
I don't think hashing of passwords now-a-days value that much.
Give me some suggestions..... if I am wrong.
629
Whereas the transmission of the password should be encrypted, the password hash doesn't need to be encrypted at rest. When properly implemented, password hashing is cryptographically secure. This implementation would involve the use of a salt to overcome the limitations of hash functions.
To the time of writing, SHA-256 is still the most secure hashing algorithm out there. It has never been reverse engineered and is used by many software organizations and institutions, including the U.S. government, to protect sensitive information.
Password hashing is defined as putting a password through a hashing algorithm (bcrypt, SHA, etc) to turn plaintext into an unintelligible series of numbers and letters. This is important for basic security hygiene because, in the event of a security breach, any compromised passwords are unintelligible to the bad actor.
Yes, if done properly. Many modern password hash functions are slow because they do a fast hash calculation thousands of times. This is normally not used as a security property. Normally the number of iterations is stored along with the hash, and not kept secret.
Brute force is brute force. You can't do anything about it except refusing to try the authentication (or imposing a delay) after N successive failed trials. Of course, if the hacker has the hashed password, he will be able to brute force the password, but the point of a secure hashing function is to make that very very long.
Rainbow/dictionary attacks are solved by the salting. If a user chooses "password" as his password, a rainbow/dictionary attack would find the password immediately. But since you salt the password with a random value, the hashed value will be something like d7("58gd0}78sq5sQIazuAKpassword, which won't be in the rainbow table/dictionary.
128
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
