undefined | Better HN

0 pointsgrowt4y ago0 comments

If they are properly hashed and salted, they can not.

0 comments

The point here is that once you brute force the plaintext password, the same password might be used elsewhere.

What if you did something like hash(plaintext_pw+"twitchsalt") <browser> ---> <server> hash(browser_hash + db_salt)

growtOP4y ago

If I understand this right, the problem is "twitchsalt" has to be known so that you can generate the same hash for future logins. So it's just one iteration of hashing more for a brute force attempt (modern hashing algorithms already use multiple iterations of hashing to make brute forcing harder)

ocdtrekkie4y ago

Well, bear in mind, the hacker also has the exact code Twitch uses to salt it's hashes.

xorcist4y ago

The browser_hash is now the password.

thaumasiotes4y ago

Password salting has nothing to do with password reuse.

Imagine two people have accounts on each of two websites:

             eBay           YouTube
   
   Alice     sunlight       bobrules
   
   Bob       bobrules       bobrules

A password reuse attack dumps the YouTube database, cracks Bob's password, and then accesses Bob's eBay account. The fix for this is that Bob should use different passwords on his different accounts. Hashing helps by making step 2 ("crack Bob's password") more difficult. Salting does not affect this attack in any way. Note that the attacker didn't bother to dump the eBay database.

The attack that salting protects against dumps the YouTube database, cracks Bob's password, and then accesses Alice's YouTube account.

growtOP4y ago

"Salting does not affect this attack in any way." Yes it does. If you habe unsalted passwords you can just use a rainbow table to look passwords up.

thaumasiotes4y ago

And that is not affected by salting. You can use a rainbow table to look passwords up whether or not those passwords are salted. There is zero conceptual connection between the two ideas.

Now, realistically, you can't use a rainbow table on passwords of any noticeable length, and a salt may push the password over the edge of that threshold. If that's really what you want... enforce a minimum password length.

1 more reply

j / k navigate · click thread line to collapse

0 comments

xorcist4y ago

The point here is that once you brute force the plaintext password, the same password might be used elsewhere.

mercurywells4y ago

What if you did something like hash(plaintext_pw+"twitchsalt") <browser> ---> <server> hash(browser_hash + db_salt)

growtOP4y ago

ocdtrekkie4y ago

Well, bear in mind, the hacker also has the exact code Twitch uses to salt it's hashes.

xorcist4y ago

The browser_hash is now the password.

thaumasiotes4y ago

Password salting has nothing to do with password reuse.

Imagine two people have accounts on each of two websites:

             eBay           YouTube
   
   Alice     sunlight       bobrules
   
   Bob       bobrules       bobrules

The attack that salting protects against dumps the YouTube database, cracks Bob's password, and then accesses Alice's YouTube account.

growtOP4y ago

"Salting does not affect this attack in any way." Yes it does. If you habe unsalted passwords you can just use a rainbow table to look passwords up.

thaumasiotes4y ago

And that is not affected by salting. You can use a rainbow table to look passwords up whether or not those passwords are salted. There is zero conceptual connection between the two ideas.

1 more reply

j / k navigate · click thread line to collapse