undefined | Better HN

0 pointsbenrutter9mo ago0 comments

That's still not perfect though!

Most leaked passwords online come initially from leaked hashes, which bad actors use tools like hashcat to crack.

If your user has a password like "password123" and the hash gets out, then the password is effectively out too, since people can easily lookup the hash of previous cracked passwords like "password123".

0 comments

csnover9mo ago

No. This is why salts[0] are used.

[0] https://en.wikipedia.org/wiki/Salt_(cryptography)

integralid9mo ago

This is how it should be done. But it still doesn't protect users fully, because attacker can try to brute-force passwords their interested in. It requires much more effort though.

incorrecthorse9mo ago

And compute-intensive hash functions. Computers this day are powerful enough to hashcat each individual pwd+salt if a fast hashing function is used.

Macha9mo ago

Salting already fixed this decades ago, and most modern password libraries will automatically generate and verify against a hash like <method>$salt$saltedhash if you use them instead of rolling your own.

j / k navigate · click thread line to collapse