Using Hash, without adding a Salt string to the password, can make the password vulnerable?

Asked

Viewed 140 times

3

A little while ago I needed to figure out which hash had been used to save passwords in the bank so that they were not directly saved according to what the user launches at the time of their registration. Searching I found the following website, that if you know the initial password you can see the results that the hash’s will generate on top of that password. it seemed to me somewhat vulnerable because as soon as I discovered which Hash had been used, and as I have access to the bank where the password is saved, it was enough that I compared what was stored in the bank with what the site generated me and so I found out which Hash had been used.

My point is:

How far to use a string salt in the original password helps to make the password even more secure, because it would be necessary to access the bank and have access to passwords would be necessary to know which chain salt was used, making it more difficult to find out which original password was registered by users.

Link to content on Salt

hash passwords salt

  • Wow, you yourself have already answered your doubts => necessary in addition to accessing the bank and having access to passwords would be necessary to know which chain salt was used

  • My question is, if it really makes a difference to use a Salt string on top of the original password before applying the Hash, because nowadays a hash is applied on top of the registered initial password and is already saved in the direct bank, this can be something vulnerable

  • What algorithm are you using? SHA1? SHA512?

  • @Paulosérgioduff SHA 256

  • 2

    It is a good question this yours. I believe that all the points raised are already answered with details in How to hash passwords securely?,

1 answer

3


There is not a point where it is totally safe to use an algorithm of hash.

A problem is the dictionary attack on hashes. Services such as https://crackstation.net/ can easily break a hash such as SHA256. Restricting the user to use complex passwords to circumvent this (with characters, numbers, uppercase letters...) may not be so easy, since most security issues come from human factors such as the phishing, that achieves a 45% conversion rate according to the security company Returnpath.What gives you a greater responsibility when it comes to security. Another problem when using SHA256, leaves you vulnerable to attack by brute-force processing (this holds true for outdated algorithms like MD5 and SHA1). Therefore, the idea that using salt makes the algorithm safer on its own (in the sense that there is a safer option). In the case of your problem, a SQL Injection could reveal information from the database for comparison of the salt.

This does not mean that there are no options. Some of them:

  • 1) Force complex password registration. If the application scope allow.
  • 2) Enter token into hash (if not possible 1).
  • 3) Use bcrypt. The Bluefish algorithm allows parameter creation processing to increase hash complexity.

Browser other questions tagged hash passwords salt

You are not signed in. Login or sign up in order to post.