I’m in the process of familiarizing myself with the ins and outs of password security, and what level of screwed you are depending on how a site treated password security before a breach occured.
What I understand so far is that if a site stores plaintext passwords and they’re leaked, anyone can instantly use them to access your account. If the passwords have been hashed, they’re more or less back to brute-forcing passwords and hoping the hash matches. If passwords are salted, extra data is added to the hashes, but (from what I understand) since this is also handled by the site (when you try to log in your password is hashed and salted before being compared to what they have saved), this doesn’t actually change the effectiveness of brute-forcing. I might be missing something here.
Either way, what I’d like to know is how do sites keep the site code itself inaccessible from hackers, if site data, like tables containing user information, can be obtained. Theoretically if a hacker had access to the specific hash and salting being used, they could reverse-engineer the hashed passwords, right? But they don’t, and I don’t understand why they don’t, when they seem to be able to access other data. In previous answers on this topic I’ve seen people say that if hackers had access to site code they could just remove the necessity for a password, or otherwise get around those restrictions, but why can’t they get this access?
In: 15
> If passwords are salted, extra data is added to the hashes, but (from what I understand) since this is also handled by the site (when you try to log in your password is hashed and salted before being compared to what they have saved), this doesn’t actually change the effectiveness of brute-forcing. I might be missing something here.
Salting prevents the hacker from brute forcing multiple passwords at the same time and utilizing techniques like [rainbow tables](https://en.wikipedia.org/wiki/Rainbow_table).
> Either way, what I’d like to know is how do sites keep the site code itself inaccessible from hackers, if site data, like tables containing user information, can be obtained.
The site data and the site code are stored separately. The site data is stored in the database, and is *supposed* to reach the user – well, part of it is supposed to. When you view a page on reddit, the contents of the page are extracted from the database. Hacking simply involves getting the site to give you data that it wasn’t supposed to. That said, there are ways to also leak the site code, if it isn’t stored securely.
> Theoretically if a hacker had access to the specific hash and salting being used, they could reverse-engineer the hashed passwords
No, that’s the point of hashing. Hash is a one-way function – it’s easy to calculate the hash of a given input, but it’s hard to find the input that will give a certain hash value.
> if hackers had access to site code they could just remove the necessity for a password, or otherwise get around those restrictions, but why can’t they get this access?
If they could *change* the code, then yes. Just because you have access to see the code doesn’t mean you can change it.
Latest Answers