Using Hash, without adding a Salt chain to the password, can make the password vulnerable? [duplicate]

3

Shortly you needed to find out which hash had been used to save the passwords in the database so that they were not saved directly according to what the user launches at the time of their registration. Searching I found the following website , which if you know the initial password you can see the results that the hash's will generate on top of this password. this seemed somewhat vulnerable to me as soon as I discovered what Hash had been used, and since I have access to the bank where the passwords are saved, I just compared what was stored in the bank with what the site generated me and so I discovered which Hash had been used.

My question is:

To use a salt string in the original password helps make the password even safer, as it would be necessary to access the database and access the passwords, salt was used, making it more difficult to find out the original password entered by users.

Link to content on Salt

    
asked by anonymous 22.05.2017 / 22:35

1 answer

3

There is no point where it is entirely safe to use a hash algorithm .

One problem is the dictionary attack on top of hashes . Services such as link can easily break a hash such as SHA256. Restricting the user to use complex passwords to circumvent this (with characters, numbers, capital letters ...) may not be so easy, since most security problems come from human factors, such as phishing , which achieves a conversion rate of 45% according to security company ReturnPath . What gives you a greater responsibility at the time of security. Another problem when using SHA256, leaves it vulnerable to attack by brute force processing

a> (this holds for outdated algorithms such as MD5 and SHA1). Therefore, it is 'false' that using salt leaves the algorithm more secure by itself (in the sense of a safer option). In the case of your problem, a SQL injection could reveal database information for comparison of salt .

That's not to say that there are no options. Some of them:

  • 1) Force a registry of complex passwords. If the application scope allow.
  • 2) Enter token within the hash (if it is not possible to 1).
  • 3) Use bcrypt . The bluefish algorithm allows parameter creation to increase the complexity of the hash.
22.05.2017 / 23:58