Reputation: 101
Why can't we store every hashed password ever in storage(HDD) and use that to match the hashed password instead of use brute force password cracking?
So let's say we somehow got the hashed password of a victim.
So the brute force approach is to take every possible string, hash it and check if it matches the victims hashed password. If it does we can use that string is the password and hence hacked.
But this requires a great deal of computational power and good amount of time even for strings with 6-8 characters.
But what if we can hash every possible string with less than 10(some) characters and store it in storage like a sorted database before hand. So that when you get the hashed password you can easily look up the table and get the password.
P.S:-
For this example let's say we are working with only one type of hashing algorithm and have huge data servers to store data.
I'm new to security and this a very very basic question but for some reason the answer to the question was really hard to find on the internet.
Upvotes: 0
Views: 114
Answers (1)
Reputation: 15589
This is called a rainbow table, and is very much a known concept.
It is also the reason you should never just store the hash of passwords. A salt (a random string added to the password and then stored with the hash as plaintext for verification) can easily mitigate this attack by effectively making it impossible to use a rainbow table and force recomputation.
Also just for completeness it's important to note that plain cryptographic hashes are not adequate anymore to be used for credentials (passwords), because they are too fast, which means it's too fast to generate a rainbow table for a given salt, effectively bruteforcing a password. Specialized hardware makes it feasible to recover relatively strong passwords if only hashed with a plain crypto hash, even if using a salt.
So the best practice is to use a key derivation function (KDF) to generate your password hashes in a way that makes it very slow (infeasible) to brute force, but fast enough to verify. Also in most known implementations adding a random salt to each hash is automatic and the whole thing is just secure.
Such algorithms are for example PBKDF2, bcrypt, scrypt or more recently, Argon2. Each of these have different characteristics, and are more resistant against different attacks.
Upvotes: 2
Related Questions
- Why aren't original passwords stored?
- What is the point of hashing?
- Why is it considered OK to store both the password hash and salt in the same place?
- Why hash passwords while the database is already compromised?
- Why should I care about hashing passwords anyway?
- Why not use MD5 for password hashing?
- Password-hashs: infinite amount of right passwords?
- Is it ok to store passwords that are able to be retrieved?
- Password hashing: Is this a way to avoid collisions?
- Hashing passwords for on-disk storage (More details inside)