I understand that if passwords are stored plaintext, then that is awful because that’s a user’s actual password. However, many companies will [hash](https://en.wikipedia.org/wiki/Cryptographic_hash_function) and [salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) user’s passwords and then store that in the database.
I will admit that any data breach is not great as far as security is concerned because you could get data on usernames, DOBs, emails, etc.
But if we’re talking just passwords, if a password is hashed (using secure hash functions – SHA256 – and not MD5) and salted, and subsequently stolen, isn’t that not as big of a deal? I trust the mathematics behind one-way hashing and sure, the attackers got a random string of text but they can’t do anything with it.
If attackers broke into your house and stole a locked safe, the actual breaking into your home is bad (and you should really think about fixing that) but the fact that they have a locked safe that they’ll never be able to mathematically crack in millions of years (turns out actually longer than the known age of the universe) is not that big of a deal right?
In: 1
You are correct. If the passwords are well-salted, hashed, and use a good encryption algorithm, the biggest problem is probably mitigated. There are still a bunch of problems, though.
First and foremost, the emails themselves are still visible, so you can see who the users are. That’s not a big deal for a site like Reddit, but consider a site like “Ashley Madison,” the website for people who want to have extramarital affairs. It is a bad look if you’ve got an account there.
Second, companies by and large suck at cryptography. That means they probably did not salt things, or if they did they might’ve chosen an old standard, or they did something else boneheaded that ruined the security. Maybe they also stored an “email reset code” value for each user that can be used to change the passwords or something. It takes only one small mistake to ruin a security scheme, and most companies don’t exactly keep a cryptographer on staff.
Third, getting the passwords file means that the attacker now has unlimited time to solve the problem. Assuming that the company did everything right, it’s not really possible for hackers to get everybody’s password, but it’s very conceivable that they will be able to get at least ONE password, if they throw enough power at it. Maybe somebody’s salt lines up with a rainbow table they have around. Maybe someone’s salt just happened to be zero by chance. Maybe they just pick 1000 of the most common passwords and try it against all of the salts in the file. Yeah, they’re not going to get the admin’s password, but they very well might get somebody’s with enough work. To go with your metaphor: if an attacker breaks into your house and steals a safe, the money’s still secure, but now the safecracker has it in his house and can spend a month drilling a hole into it or trying every combination or who knows what else. It’s possible he might never get in, but it’s not guaranteed.
Latest Answers