I’m in the process of familiarizing myself with the ins and outs of password security, and what level of screwed you are depending on how a site treated password security before a breach occured.
What I understand so far is that if a site stores plaintext passwords and they’re leaked, anyone can instantly use them to access your account. If the passwords have been hashed, they’re more or less back to brute-forcing passwords and hoping the hash matches. If passwords are salted, extra data is added to the hashes, but (from what I understand) since this is also handled by the site (when you try to log in your password is hashed and salted before being compared to what they have saved), this doesn’t actually change the effectiveness of brute-forcing. I might be missing something here.
Either way, what I’d like to know is how do sites keep the site code itself inaccessible from hackers, if site data, like tables containing user information, can be obtained. Theoretically if a hacker had access to the specific hash and salting being used, they could reverse-engineer the hashed passwords, right? But they don’t, and I don’t understand why they don’t, when they seem to be able to access other data. In previous answers on this topic I’ve seen people say that if hackers had access to site code they could just remove the necessity for a password, or otherwise get around those restrictions, but why can’t they get this access?
In: 15
More often than not the information is stored in different places and most hacks are generally either something like SQL injection or some other site vulnerability which let’s someone access database entries they wouldn’t normally have access to. Usually this takes the form of a dump of a users table which would contain usernames, emails, and password hases etc.
This is a very different situation to a hack where someone has managed to get privelege escalation on the server itself though.
In the first example, unless the salt is stored in the clear in the database, then database dumps wouldn’t contain the salt itself. However in the second example, all bets are off – if someone has root access to the server then they probably have everything.
The reality of the situation is that there is no perfect system because quite simply, something somewhere needs to be able to turn the password into a hash to be able to authenticate a user. And if someone does have root access for any reasonable period of time then they can always reverse engineer whatever that process is. Thankfully though, these types of hack are rare compared to the ones which leak raw data.
Latest Answers