Salted Password Hashing - Insecure

14 views
Skip to first unread message

N. V. R. K. RAJU

unread,
Jul 3, 2013, 9:34:40 PM7/3/13
to null-...@googlegroups.com, securit...@googlegroups.com
Hi,

This is regarding an article posted about Salted Password Hashing - Doing it right on http://crackstation.net/hashing-security.htm

I have gone through this article and I still feel the salted password hashing is insecure why because as it states in the article "The problem is that the client-side hash logically becomes the user's password. All the user needs to do to authenticate is tell the server the hash of their password. If a bad guy got a user's hash they could use it to authenticate to the server, without knowing the user's password! So, if the bad guy somehow steals the database of hashes from this hypothetical website, they'll have immediate access to everyone's accounts without having to guess any passwords."

My point in this discussion is, considering the possibility of proxies, like Burp/OWASP ZAP/Charles. We can easily get the password's hash value of a user. When an attacker has this hash value he doesn't need to know the actual password but still would be able to authenticate and do normal web access.

Please shed your thoughts on this, is there something to circumvent MIM attacks for salted password hashing?

Regards,
Raju

Abhay Rana

unread,
Jul 4, 2013, 12:51:04 AM7/4/13
to null-...@googlegroups.com
That's  a really thorough explanation. A similar one is at http://codahale.com/how-to-safely-store-a-password/. I found it kinda odd that you never mentioned bcrypt, though.



--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
---
You received this message because you are subscribed to the Google Groups "null" group.
To unsubscribe from this group and stop receiving emails from it, send an email to null-co-in+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

Rajesh A.

unread,
Jul 4, 2013, 12:52:37 AM7/4/13
to null-...@googlegroups.com
2 types of attacks possible in this case are ...

1. It should be clubbed with MIM. If they are using HTTPS channel for communications then need additional tricking... 
2. Gaining access to the database where password hash is saved

R@J


On Thu, Jul 4, 2013 at 7:04 AM, N. V. R. K. RAJU <nvrk...@gmail.com> wrote:

--
Reply all
Reply to author
Forward
0 new messages