That’s all you can do though, extend the time it takes to brute force, so I’m not sure what the distinction being made is.
Comment on Plex got hacked.
moseschrute@lemmy.world 13 hours agoI don’t think that’s how salts work. I might be wrong, but I think it works like this
Password + Salt -> Hash
- “p@ssword” + “hakf” -> “hifbskjf”
- “p@ssword” + “jkjh” -> “gaidjshj”
- “p@ssword” + “afgd” -> “afgdufj”
Notice how those 3 users use the same password, but the different salts results in 3 different hashes. That doesn’t make it any harder to crack a single hash, but it means I have to crack the same password 3 times.
Waraugh@lemmy.dbzer0.com 12 hours ago
ramjambamalam@lemmy.ca 8 hours ago
Response time is critical.
moseschrute@lemmy.world 12 hours ago
even if someone brute forces an offline copy of the hashes they wouldn’t result in actual useable passwords
I think maybe I misunderstood this part. I thought you were suggesting that salted hashed passwords were uncrackable but maybe I misunderstood this
Waraugh@lemmy.dbzer0.com 12 hours ago
Gotcha, no, I wasn’t trying to make that claim, it’s just a way to make it more difficult/time consuming
sugar_in_your_tea@sh.itjust.works 12 hours ago
You missed the part about pepper. Pepper is something that’s added, like salt, but that isn’t stored with the password. A low security version of this is an environment variable, but it could also be a secure hardware device on the machine.
So it’s more like this:
If an attacker only has the salt, they’ll “crack” the password into something that’s not the original password:
brute_force(“higbskjf”, “hakf”) - > “kdrnskk”
. The idea is that it might take a few days for the attacker to recognize the error, and by then the security team has already responded and locked the backdoor.Even if the passwords are peppered, users should assume their password is compromised and change them. But peppering may prevent a cascade effect from reused passwords.
moseschrute@lemmy.world 12 hours ago
I actually didn’t realize pepper was a thing. I mostly do frontend. But that’s really interesting!