![]() ![]() Now, that said, it is important to remember a few subtleties when it comes to the benefits of salts. The main purpose of salting passwords is to raise the bar on cracking passwords (which could be useful even if an attacker has write access as finding out someone's password could give the attacker access to that user's other accounts since people reuse passwords all the time). You are right, if an attacker gains write access they can change other people's passwords and gain access to the accounts. So you need to be aware of the different types of attacks, and to defend against each of them using a defense which works against that type of attack. The defense only defends against the offline password-stealing attack. For example, it doesn't help against an attack where the attacker gains arbitrary write access to the database, rewrites all users' passwords to his own, and logs in to all the users' accounts on that website. The hashing-passwords defense is not a defense against just any attack. There are multiple variations on this defense, including choosing better hashes, salting the hashes, iterating the hashes, etc., the purpose of them being to make the defense better than otherwise and to defend against variants of the attack which are capable of getting around the simpler defenses. The hashing-passwords defense works like this: the passwords are not stored directly, and any attempt to retrieve the original passwords requires the attacker to perform an extremely large amount of work, at least compared with the work required to check whether a password the user enters when logging in matches the password on file. The goal of the attack is: to find users who reuse their usernames and passwords across websites, and log into those users' email, bank, social-network, and other accounts. The attack is: stealing a copy of the entire password file (users table, ldap db, etc), downloading it to one's computer, and attempting to retrieve the users' passwords. Hashing passwords is a defense against a specific attack.
0 Comments
Leave a Reply. |