Reputation: 95
Encryption vs Hashing Passwords
Suppose I want develop a authetication/user system, and I'd like to be able to recover original users passwords if I need, what are the disvantages to encrypt password vs hashing from the security point of view?
Of course the application will use just the public key, and the authetication will be executed just comparing the encrypted strings with the public key.
The private key can be used in two way:
- I keep the private key on my offline devices for special manual password recovery operation.
- The private key is in the application but encrypted with a password.
Considering nobody (except me) can access the private key, what are the security weakness of these implementation choices rather than hashing password?
About the second option, potentially a hacker can hack the application server and wait I insert the password to decrypt the private key, but I think in this case the hacker can already do many more bad actions than to wait the private key decryption (as wait just user send their password when login and others...)
Thanks
EDIT: What I would mainly understand, is if using encryption is as safe as using hashing (of course supposing the cracker can't get private key).
Upvotes: 0
Views: 882
Answers (2)
Reputation: 30045
If your question is whether proper hash algorithms have flaws, and proper encryption schemes are correct then yes - both of them are correct for the intended usage.
This means that for instance for hashes there are no collisions and no reversibility. For encryption it would mean that one cannot decrypt within reasonable time. Please note that these are just two requirements, each have much more of them.
Now, the intended usage is important. If you need to reuse passwords then you will need to store them somehow. There are several possibilities, including encryption. As you noted, the risk is to retrieve the key (someone can hack your OS, or hack your application when it uses the key, ...).
I would warmly recommend to look for other possibilities (like authentication brokerage - offloading the authentication to someone else) before jumping into an architecture to store your passwords and keys.
Upvotes: 1
Reputation: 129
If you want to recover passwords, hashing is out of option. Hash is straight up one-way algorithm. So you have 2 options about encrypting passwords.
1- I keep the private key on my offline devices for special manual password recovery operation.
You could do that, if you are certain that your offline device won't be compromised.
2- The private key is in the application but encrypted with a password.
This could backfire since in case someone gets access to your code, they can deduce that you are encrypting passwords and storing them that way. That could motivate an attacker into accessing your private key.
Given these 2 options, I'd say first one is more secure, since you only have to worry about devices physical security.
Upvotes: 0
Related Questions
- Fundamental difference between Hashing and Encryption algorithms
- Is it worth encrypting a password hash?
- Encrypting password with password vs Hashing
- Storing Passwords on MySQL database: Hash vs Encryption?
- Difference between Hashing a Password and Encrypting it
- Password Hash Approach
- Dilemma of choosing either to hash or encrypt passwords
- What is better hashed or encrypted passwords?
- Passwords and different types of encryption
- Difference between encryption and hashing