Hashing passwords even when password is server-generated?

Question

Shall I hash users of my portal when password is generated by server and user cannot change it? Logically:

1. User can't use this passwords anywhere else as it is server-generated.

2. Even when somebody access database illegally, they can change password and see it, but it is useless for them as it is not used anywhere else.

Am I right? Or hashing still should be implemented...?

Answer 1

Hashing should be implemented because hashing is to protect against a server compromise, not a client / end user compromise. For more security you should use a salt and password hashing algorithm when hashing passwords as well.

The reasoning is that if your server is compromised, either through an outside attack (e.g. SQL injection, SSH heartbleed, etc.) or an inside attack (e.g. malicious employee if you have them), then the passwords or hashes can be retrieved. If they are retrieved, you want to make it very difficult for the attacker to use the retrieved data to compromise your system. Hashed passwords with salts are much harder for an attacker to use than a plaintext password which they can use with the right username.

• Non-hashed passwords: If someone can retrieve non-hashed passwords, they can directly use them to impersonate end users.
• Hashed passwords without salt: If someone can retrieve hashed passwords that are created without salts, they can perform a dictionary or brute-force attack to find the passwords by hashing words in a dictionary or all strings.
• Hashed passwords with salt: If you add a salt, then the attacker that has retrieved your hashed passwords will also need to know your salt to efficiently attack the passwords, e.g. via a dictionary attack.

Additionally, when hashing passwords, you should use a hashing algorithm specifically designed for passwords, e.g. bcrypt, and not a general purpose hashing algorithm like SHA. This is because general purpose algorithms are designed to be very fast, making it easier for an attacker to perform a dictionary or brute force attack. A password hashing algorithm like bcrypt is slow to hash so it will slow down the attacker.

Answer 2

Security is something done in layers and each layer is designed to raise the cost of doing something you don't want them to. Do security guards prevent robberies? No, but they raise the cost of committing one to where most people won't bother.

Hashes don't prevent people from hacking your users but an unencrypted password is an open invitation for anyone who gains access to that data to log into your users' accounts freely for as long as it takes you to discover the hack.

Answer 3

always hash passwords never store them in plain text, even if you think only you will ever see/use it.