0

I've read a fair few questions on password salting and mostly they cover the stuff that (I think) I already understand. That is; the point of including a random salt in your password hashes is firstly to prevent two hashes being the same even when the password is the same. And secondly to thwart rainbow table attacks that match hashes against a precompiled list (because none of the precompiled hashes used the salts you have used, so a new rainbow table would need to be generated for each salt/hash). Feel free to correct me if I've misunderstood any of that.

Now my question: If an attacker has access to your hashes (the scenario we're protecting against) then that means they're accessing your database. That being the case surely it doesn't matter what the hash is, they can just replace it with whatever they want?

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
MartinAnsty
  • 383
  • 2
  • 9
  • For a questions like these, you might want to try the sister site over at: http://security.stackexchange.com/ – Hooked Mar 03 '12 at 02:23
  • Thanks Hooked, I'll bare that in mind next time. The myriad of stackexchange sites that exist nowerdays can be confusing – MartinAnsty Mar 03 '12 at 02:27
  • to which I respond with the meta link of all (84) sites so you can see what's out there! http://stackexchange.com/sites?view=list#traffic This includes the beta-sites that haven't reached the magic SE threshold of awesome yet. – Hooked Mar 03 '12 at 02:30

2 Answers2

1

Read access to a database does not imply write access to the database.

So yes, if an attacker can update the password hash to a known hashed password + salt, then the attacker can gain access to a specific account. But dumps of password hashes can come from places other than direct database access.

wmorrell
  • 4,988
  • 4
  • 27
  • 37
  • I think more importantly, finding the actual passwords may give you access to other machines. And clearly changing passwords will give you away. – Arvid Mar 04 '12 at 00:26
1

It all depends on the account's permission. If a read only account was hacked, they can only read, but if a higher account got hacked, well, the attacker has higher permissions the farther up the ladder it goes.

Abraham Andujo
  • 147
  • 1
  • 6
  • 12