Comment

Waraugh@lemmy.dbzer0.com ⁨17⁩ ⁨hours⁩ ago

If they are following best practices then individual hashes should be salted and the database of hashes should be peppered so even if singing brute forces an offline copy of the hashes they wouldn’t result in actual useable passwords.

source

Sort:hotnew top

moseschrute@lemmy.world ⁨17⁩ ⁨hours⁩ ago
I don’t think that’s how salts work. I might be wrong, but I think it works like this

Password + Salt -> Hash

“p@ssword” + “hakf” -> “hifbskjf”

“p@ssword” + “jkjh” -> “gaidjshj”

“p@ssword” + “afgd” -> “afgdufj”

Notice how those 3 users use the same password, but the different salts results in 3 different hashes. That doesn’t make it any harder to crack a single hash, but it means I have to crack the same password 3 times.
source
- sugar_in_your_tea@sh.itjust.works ⁨16⁩ ⁨hours⁩ ago
  You missed the part about pepper. Pepper is something that’s added, like salt, but that isn’t stored with the password. A low security version of this is an environment variable, but it could also be a secure hardware device on the machine.
  
  So it’s more like this:
  
  “p@ssword” + “hakf” + “pepper” -> “hifbskjf”
  
  “p@ssword” + “jkjh” + “pepper” -> “gaidjshj”
  
  If an attacker only has the salt, they’ll “crack” the password into something that’s not the original password: brute_force(“higbskjf”, “hakf”) - > “kdrnskk”. The idea is that it might take a few days for the attacker to recognize the error, and by then the security team has already responded and locked the backdoor.
  
  Even if the passwords are peppered, users should assume their password is compromised and change them. But peppering may prevent a cascade effect from reused passwords.
  
  source
  - moseschrute@lemmy.world ⁨16⁩ ⁨hours⁩ ago
    I actually didn’t realize pepper was a thing. I mostly do frontend. But that’s really interesting!
    
    source
- Waraugh@lemmy.dbzer0.com ⁨17⁩ ⁨hours⁩ ago
  That’s all you can do though, extend the time it takes to brute force, so I’m not sure what the distinction being made is.
  
  source
  - moseschrute@lemmy.world ⁨16⁩ ⁨hours⁩ ago
    
    even if someone brute forces an offline copy of the hashes they wouldn’t result in actual useable passwords
    
    I think maybe I misunderstood this part. I thought you were suggesting that salted hashed passwords were uncrackable but maybe I misunderstood this
    
    source
    Waraugh@lemmy.dbzer0.com ⁨16⁩ ⁨hours⁩ ago
    Gotcha, no, I wasn’t trying to make that claim, it’s just a way to make it more difficult/time consuming
    
    source
  - ramjambamalam@lemmy.ca ⁨12⁩ ⁨hours⁩ ago
    Response time is critical.
    
    source