英文:
If an Hacker get salt and our hashed password from a database, why can't he hack the password?
问题
他们说对密码进行加盐然后进行哈希处理会更安全。我们都知道密码会被加盐然后进行哈希处理,最终会存储在数据库中。在数据泄露期间,黑客可以获取到密码(经过加盐和哈希处理)以及盐,因为盐也会存储在数据库中用于验证目的。那么如果黑客可以同时获取到盐和经过加盐和哈希处理的密码,为什么破解起来却不容易呢?我原以为在获取到盐后,黑客可以找出密码(经过加盐和哈希处理),然后将盐从中移除以获取原始密码!
举个例子(这是我对事情发生方式的理解):
我的密码:Harivignesh123
要添加的盐:1$2$3
我的新加盐密码可能是:Harivignesh1231$2$3
在数据库中:
密码(经过加盐和哈希处理):8a84dbd1ab769dfdeaf389a38a91feb7f0a3d9ea5e34254775dd66a5b82a402d
盐:1$2$3
黑客在数据泄露后获得了数据:
通过某种方法(也许使用hashcat),他发现我的密码是:Harivignesh1231$2$3
他也知道我的盐是(因为它也存储在数据库中):1$2$3
所以他可以从密码中移除1$2$3(盐),然后找到了对吗?难道就是这么简单吗?那么它为什么会被认为更安全呢?难道加盐只是为了确保每个密码都是唯一的吗?
帮助这位新手解决这个疑惑,如果我的想法有误的话请指出,非常感谢您提前的解释!
英文:
They say salting a password and then hashing it will be far more secure. We all Know that passwords are salted and then hashed, eventually get stored in databases.
During Data breaches a hacker can get password(salted and hashed) along with salt because salt is also stored in the databases for validation purpose.
Then why it is not easy to crack if the hacker can get both salt and password which is salted and hashed?
I thought that after getting the salt a hacker can found what password(salted and hashed) is it and then he can remove the salt from it to get the original password!
consider for example:(this is how I am thinking the things are happening)
my password: Harivignesh123
salt to be added : 1$2$3
my new salted pass could be : Harivignesh1231$2$3
In database:
password(salted and hashed) : 8a84dbd1ab769dfdeaf389a38a91feb7f0a3d9ea5e34254775dd66a5b82a402d
salt: 1$2$3
After hacker got data from data breach:
by some method( may be using hashcat) he found that my password is : Harivignesh1231$2$3
he also know that my salt is(because it is also stored in database): 1$2$3
so he can remove 1$2$3(salt) from the password and yeah he found it right? is it that easy? then how could it be more secure as they say! or salting is just to make sure every password is unique?
Help this newbie to come over this doubt and please point out if I am wrong with my thinking and thank you very much for your explanation in advance!
答案1
得分: 1
因为用户选择可预测的密码,而且存在可能密码的哈希数据库 - NIST 引用了每个字符 4 位的熵值。这些数据库称为彩虹表。使用盐意味着攻击者需要再次计算所有哈希值,使用加盐的数值。
英文:
Because users pick predictable passwords, and there are databases of hashes for likely passwords - NIST quote an entropy figure of 4-bits per character. These databases are called Rainbow tables. Using a salt means the attacker needs to compute all the hashes again using the salted value.
答案2
得分: 0
"通过某种方法" 是关键,不可能将哈希值还原为原始密码。Hashcat的工作是尝试数百万个可能的密码,并检查它们是否生成了被盗的哈希值。
如果使用一个很长的盐(比你的示例要长得多),在单个彩虹表中预先计算所有这些哈希值是不可能的,以便以后可以快速获取密码。像Harivignesh123mI82hjHHw1QwertxcvgZP0这样的有盐密码将需要太多的组合/时间。
因此,通过加盐,攻击者只能在知道盐之后构建一个彩虹表,然后该彩虹表只能用于这个盐。因为每个密码都使用唯一的盐,所以彩虹表只能找到一个密码。
如果您想了解更多关于这个主题的信息,可以查看我的有关安全存储密码的教程。
英文:
The "by some method" is the crux here, it is not possible to revers a hash to its original password. What hashcat does, is to try millions of possible passwords and check if they result in the stolen hash.
With a long salt (much longer than in your example) it is not possible to precalculate all those hashes in a single rainbow-table, to later get the password quickly. Salted passwords like Harivignesh123mI82hjHHw1QwertxcvgZP0 would require way too many combinations/time.
Thus by salting, the attacker could build a rainbow-table only after knowing the salt, and then the rainbow-table can be used only for this salt. Because one uses a unique salt for each password, a rainbow-table could find onyl a single password.
If you want to know more about this topic, you can have a look at my tutorial about safely storing passwords.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论