I’m in the process of familiarizing myself with the ins and outs of password security, and what level of screwed you are depending on how a site treated password security before a breach occured.
What I understand so far is that if a site stores plaintext passwords and they’re leaked, anyone can instantly use them to access your account. If the passwords have been hashed, they’re more or less back to brute-forcing passwords and hoping the hash matches. If passwords are salted, extra data is added to the hashes, but (from what I understand) since this is also handled by the site (when you try to log in your password is hashed and salted before being compared to what they have saved), this doesn’t actually change the effectiveness of brute-forcing. I might be missing something here.
Either way, what I’d like to know is how do sites keep the site code itself inaccessible from hackers, if site data, like tables containing user information, can be obtained. Theoretically if a hacker had access to the specific hash and salting being used, they could reverse-engineer the hashed passwords, right? But they don’t, and I don’t understand why they don’t, when they seem to be able to access other data. In previous answers on this topic I’ve seen people say that if hackers had access to site code they could just remove the necessity for a password, or otherwise get around those restrictions, but why can’t they get this access?
In: 15
Everyone is able to access a site code, because it’s not supposed to be hidden from the user. In fact, you have it literally there in your browser, available with 2 clicks. The problem is that it’s minified, which is a process of shrinking it to the maximum, which makes it way less readable, so as a side effect, it’s difficult to figure out, but it’s doable, hard work, tho. And also a site code might get transformed e.g. if a page was coded in TypeScript, it’s converted to JavaScript first and then also minified, so you cannot go back to TypeScript, because the browser never got it. That’s just how it’s built underneath.
No, salting is done on API side (server), not by the client (site, as you call it). I haven’t worked on any project that salted password in the client.
Getting the initial value from a hashed value is damn complex operation and based on a used algorithm, it might be closer to impossible aka too meany years required or too many resources to shrink the operaton to acceptable amount of time.
I am not a hacker, but they look for any “backdoors” to the server, meaning how to execute a code, which they shouldn’t be allowed to execute. So they can e.g. execute a piece of code to get the data from database, just like the server does the same, but it’s allowed it. On the other hand, a server code is compiled, so it’s not a readable code at all, it might be a bytecode language which the runtime environment understands (what runs the server app, so to say). It is doable to read such langauge if you disassemble the source files, but those are not stored in a database and you cannot just execute a code to get you those files. Not like you can execute “give me all the users in database” command.
Latest Answers