this post was submitted on 05 Jul 2024
95 points (99.0% liked)

Cybersecurity

5847 readers
21 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 9 points 5 months ago* (last edited 5 months ago) (2 children)

That has to do with how hashes work.

Hash is if you want someone to be able to check if he's got the right password but not able to know what it actually says.

Imagine my password is "shark". Let's say I use a hash algorithm so that it becomes "2gtth5". If I log in. I enter my password. My browser* uses the same algorithm, so the text I entered is "2gtth5" now. The server looks up my hashed password, checks if it's the same and then it lets me log in. The benefit is, the server doesn't know my actual password, it only knows that the hash is "2gtth5". This means if the database gets compromised, people only see "2gtth5" but not my actual password. And because it's a hash, they don't know how to get back from "2gtth5" to "shark" and therefore my password is not compromised.

Now imagine if I knew the hashing algorithm used and I have a list of possible passwords. There might be "shark" in there. So I can take the password list, make a hash out of every password and see if it matches. Because my password is in there, the hash for "shark" will match the hash "2gtth5" in the compromised database and they now know my actual password. This is a far bigger problem.

Everytime you see that someone "hacked" a database and password hashes got compromised, this is what happens. They use rock you and a few other lists to see if they can "crack" the hashes (this just means checking the hashes and seeing if one of the password from the list matches).

This is specifically what those lists are for. They are used by bad actors to make use of the hashed passwords they stole.

Glossary:

  • hash: representation of some text
  • cracking a hash: trying to get the actual text from a hash
  • salted hash: a hash with fake characters in there
  • algorithm: basically the way your program works, either the code or a scientific representation of the way it works

*Someone in the comments corrected me on this. The server does the hashing not the browser.

[–] decisivelyhoodnoises 9 points 5 months ago* (last edited 5 months ago) (1 children)

My browser uses the same algorithm, so the text I entered is "2gtth5" now. The server looks up my hashed password

This is not correct. Your browser will submit "shark" and then the backend server will do whatever hashing is required and after that it will compare the hashes. If hashing was happening in the browser that would mean that an attacker would be be able to attack by using just the hashes of the passwords, not the passwords themselves. Also in such case, the browser would had been responsible to do the required salting which in turn would make it pointless as it would had been known.

[–] [email protected] 5 points 5 months ago* (last edited 5 months ago)

Ah that makes sense let me put an asterisk on that then

[–] sugar_in_your_tea 1 points 5 months ago

The browser could do the hashing, but then the frontend would need the same salt, which is a huge liability. Some apps obfuscate it by encrypting with a nonce or something, but all that does is delay an attack.

Standard practice is indeed on the server with a limited number of attempts on the same account in a time window to prevent brute force attacks.