0

I am a new programmer so please forgive me if what I am going to say doesn't make any sense.

I know that we store hashes instead of actual passwords to secure passwords in case someone gets access to the database but let's say if someone has got all the hashes and they know what password hashing function has been used in the program. Can't they use salt for that hash and hack into accounts?

Divyanshu Siwach
  • 19
  • 5
  • 1
    Yes, one can match weak passwords to their hashes. Also, people are bad at choosing good passwords, and they reuse them all the time too. That's why it is important to offer and encourage [Multi-factor authentication](https://en.m.wikipedia.org/wiki/Multi-factor_authentication), and to not permit known passwords using a service like [have i been pwned](https://haveibeenpwned.com/API/v3#SearchingPwnedPasswordsByRange). – Peter Jun 14 '21 at 23:30
  • 1
    Whenever discussing security it's best not to think in terms of can they/can't they, but rather how and what cost. – President James K. Polk Jun 15 '21 at 02:18
  • I wrote a tutorial about [safely storing passwords](https://www.martinstoeckli.ch/hash/en/index.php), where I tried to explain the exact purpose of the salt, it should give you a starter about the topic. – martinstoeckli Jun 23 '21 at 14:48

2 Answers2

1

First thing you need to understand the difference between encryption and hashing. Any data that is encrypted could be decrypted. But hashing is always one way. So any data which was hashed using a salt once cannot be decrypted.

Also you have to use a strong hashing algorithm. Because hackers could use "rainbow tables" to brute force and retry infinitely using random values to imitate your passwords.

Why would you expose your source code and database credentials?

In production database credentials are encrypted and used in application configuration files. You have to follow up security protocols.

Yuvaraj Velmurugan
  • 113
  • 9
-1

I am going to give it a stab. So what you are describing is securing passwords in a vault. There are lots of ways you can do this. I like Window-Vault if you are doing something small. If you are using Ansible, Ansible-Vault works. Hashicorp makes a really good one too.

Now for storing. You could store passwords in a Password manager, like Bitwarden for instance. This would solve most of your problems.

To store passwords without a manager, ensure you have Encryption at rest, and Encryption in Transit. Encryption at rest is on the disk. Encryption in Transit is SSL/TLS.

You can store the passwords as a hash locally, but it isn't really that much more secure. As you stated, you can reverse the encryption if you can get physical access. Most choose to encrypt the disk and encrypt transit, and handle the rest via access to the machine or storage location via a user name and strong password (maybe a firewall too).

It isn't bad to store passwords in plain text somewhere. Eventually they have to be decrypted. The important thing is securing the storage location and the transit.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Technoob1984
  • 172
  • 9
  • Who voted this down? what is bad about my advice? – Technoob1984 Jun 15 '21 at 02:38
  • For everyone here, I read this question as 'How do I secure my passwords in Code'. How do you do 2fa when you are automating a program, or passing a service account automatically in Code. How do you store your password if not in txt somewhere? Is the suggestion that LastPass or Onepassword isn't in Plain Text after you decrypt the connection with your master password? Windows-Vault, Ansible-Vault, Hashi-Corp, all have wonderful Password API's. Secure your passwords at rest with encryption, and secure your password calls in transit with ssl/tls. Don't let trolls give you bad advice. – Technoob1984 Jun 15 '21 at 02:51