CODEWITHSUNDEEP
securityauthentication
user1441174
user1441174

Reputation: 47

Hash and log-in

As I design through some login forms, I began to wonder if passwords are stored in hashes, suppose that someone hacked into one website.

And suppose that users of that website use exactly the same passwords at other sites.

If so, using only hashes, is it possible to login into other websites?

Upvotes: 2

Views: 148

Answers (3)

Gumbo
Gumbo

Reputation: 655845

No, you can’t reason the actual password from a hash. That’s a main property of cryptographic hashing functions:

Given a hash h it should be difficult to find any message m such that h=hash(m). This concept is related to that of one-way function. Functions that lack this property are vulnerable to preimage attacks.

You can only try to guess the passwords using appropriate attacks (e. g. dictionary attack or brute-forcing) to find a collision, i. e. an input value that results in the same hash value.

Now there are certain techniques that help attackers to speed up this process of finding collisions like a pre-computed lookup table that maps known hash values onto input values. Rainbow tables are an advanced variant of such lookup tables.

Upvotes: 1

Girish Rao
Girish Rao

Reputation: 2669

Hashing the password is only a first line of defence against hackers. If hackers compromise your website and get your database of hashed passwords, they can use their "dictionary" of hashes that map to very frequently used passwords.

Once a hacker knows the hashing scheme you are using (MD5, or SHA-1, etc) then he can determine the original password. This is because these hashing schemes are 1 to 1 for input and output. A password will always produce the same hash, and hash can be reversed to find the original password.

In order to protect yourself, you should salt the password and then hash the salt+password combination. Each password should be paired with it's own unique salt.

See more here: http://codingmayhem.tumblr.com/post/24552289519/storing-passwords-securely

Upvotes: 0

dbkaplun
dbkaplun

Reputation: 3658

Usually websites use random salts, so that even if your password is the same on two sites, different sites will store their hashes differently.

Even if websites didn't use random salts, and passwords always hashed to the same thing, you'd still need to know the password before being able to login to those sites.

Upvotes: 1

Related Questions