Comment on Plex got hacked.
Waraugh@lemmy.dbzer0.com 17 hours agoIf they are following best practices then individual hashes should be salted and the database of hashes should be peppered so even if singing brute forces an offline copy of the hashes they wouldn’t result in actual useable passwords.
moseschrute@lemmy.world 17 hours ago
I don’t think that’s how salts work. I might be wrong, but I think it works like this
Password + Salt -> Hash
Notice how those 3 users use the same password, but the different salts results in 3 different hashes. That doesn’t make it any harder to crack a single hash, but it means I have to crack the same password 3 times.
sugar_in_your_tea@sh.itjust.works 16 hours ago
You missed the part about pepper. Pepper is something that’s added, like salt, but that isn’t stored with the password. A low security version of this is an environment variable, but it could also be a secure hardware device on the machine.
So it’s more like this:
If an attacker only has the salt, they’ll “crack” the password into something that’s not the original password:
brute_force(“higbskjf”, “hakf”) - > “kdrnskk”
. The idea is that it might take a few days for the attacker to recognize the error, and by then the security team has already responded and locked the backdoor.Even if the passwords are peppered, users should assume their password is compromised and change them. But peppering may prevent a cascade effect from reused passwords.
moseschrute@lemmy.world 16 hours ago
I actually didn’t realize pepper was a thing. I mostly do frontend. But that’s really interesting!
Waraugh@lemmy.dbzer0.com 17 hours ago
That’s all you can do though, extend the time it takes to brute force, so I’m not sure what the distinction being made is.
moseschrute@lemmy.world 16 hours ago
I think maybe I misunderstood this part. I thought you were suggesting that salted hashed passwords were uncrackable but maybe I misunderstood this
Waraugh@lemmy.dbzer0.com 16 hours ago
Gotcha, no, I wasn’t trying to make that claim, it’s just a way to make it more difficult/time consuming
ramjambamalam@lemmy.ca 12 hours ago
Response time is critical.