Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is the point of salt and hashing if database is accessible?

Tags:

language-agnostic

security

hash

salt

data-retrieval

I just learned the concept of hashing ("Hey! don't forget the salt!") and using salt to make the password secured.

Hashing it is a one way encryption (actually not encryption but hashing) so it cannot be reversed engineered. Salting is prefixing or appending randomly created values to the password before hashing 'coz the problem in hashing (just hashing) is, some genius has provided a hash table of words from the dictionary so that they'll just compare the hash from that dictionary to the user's table from the database to login - W-wait? did I say table from the database? So it means somebody can access the database so we have to use salt? If that so, then why would the hacker recover the password if he already has access to the database? If I were him, I'll just get all the details I want from the database, why would I use the key I've stolen from a house to open the door if I can access the house already through the window?

So, why hash? why salt? I don't understand. Please, somebody help me.

Thanks in advance.

Important Note: I'm not against hashing or salting, I just want to clarify things.

like image 697
dpp Avatar asked Aug 18 '11 07:08

dpp

People also ask

Why is it important to add salt to the password hash?

Salting the hash is crucial because it ensures that the encryption process results in a different hash value, even when two passwords are the same. If salt is not added to the hash, then an attacker can make certain conclusions.

What is password salting and why is it important?

What is salting? Salting is the process of adding a unique value to the end of a password before hashing takes place. Salting the hash is crucial because it ensures that the encryption process results in a different hash value, even when two passwords are the same. If salt is not added to the hash, then an attacker can make certain conclusions.

Does a password and a salt have the same value?

However, the combination of a salt and a password may lead to the same "string" or hash in the end and the hash will be exactly the same, so make sure to use a combination of salt and password where two different combination won't lead to the same hash.

How does salting the hash protect against brute force attacks?

By salting the hash, you protect password lists against brute force attacks. A brute force attack is a technique where a cybercriminal uses a computer or several computers (botnet) to attempt every possible combination of numbers and letters until a password is found.

1 Answers

If that so, then why would the hacker recover the password if he already has access to the database?

Reasons are many. Here are a few:

  1. People reuse their passwords, so not leaking everybodys real passwords does limit the impact of such attack.

  2. Without the real passwords, the hacker will still not be able to log in and, say, post new entries on the hacked system.

  3. Who says all information is stored in the database? What if the database solely consisted of the user name and hashed/salted passwords? Then, knowing the content doesn't help much.

like image 147
aioobe Avatar answered Nov 03 '22 02:11

aioobe
Sign in to Comment

Related questions

SecurityException when using Registry.LocalMachine.OpenSubKey
Can JSF standard validation prevent code injection?
Is it possible to spoof your IP... is testing ip addresses secure?
Cakephp Security
Input security with "(int)" in PHP?
Is there a command line utility to extract the certificate thumbprint?
Are Azure Blobs encrypted when they are stored in Microsoft?
SSL Certificate Verification : javax.net.ssl.SSLHandshakeException
Passing certificate and key as string to ListenAndServeTLS
is it bad to pass jwt token as part of url?
How can I programmatically detect ssh authentication types available?
Static Salt vs Random Salt - Security PHP
Should I use both striptags() and htmlspecialchars() to prevent XSS?
How to choose account and service values for SSKeychain
Why the browser doesn't send cookies while requesting a JavaScript file?
Is a private repository on github or bitbucket safe for storage of passwords? [closed]
Specified padding mode is not valid for this algorithm - c# - System.Security.Cryptography
Potential security threat detected in build errors in a fresh create-react-app install (script accessing "/initrd.img", "/vmlinuz" and others)
Need help understanding MySQL injection
How safely can I assume unicity of a part of SHA1 hash?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!