If a password is securely stored, is a password breach really that bad?


I understand that if passwords are stored plaintext, then that is awful because that’s a user’s actual password. However, many companies will [hash](https://en.wikipedia.org/wiki/Cryptographic_hash_function) and [salt](https://en.wikipedia.org/wiki/Salt_(cryptography)) user’s passwords and then store that in the database.

I will admit that any data breach is not great as far as security is concerned because you could get data on usernames, DOBs, emails, etc.

But if we’re talking just passwords, if a password is hashed (using secure hash functions – SHA256 – and not MD5) and salted, and subsequently stolen, isn’t that not as big of a deal? I trust the mathematics behind one-way hashing and sure, the attackers got a random string of text but they can’t do anything with it.

If attackers broke into your house and stole a locked safe, the actual breaking into your home is bad (and you should really think about fixing that) but the fact that they have a locked safe that they’ll never be able to mathematically crack in millions of years (turns out actually longer than the known age of the universe) is not that big of a deal right?

In: 1

Ideally yes, although even in a perfect situation an attacker with a lot of excess computing resources available could brute force the passwords mixed with their appropriate salts and hope they come across a few valid pairs. If usernames/emails were included with thay same data collection, that attacker (or whenever obtained those results) now has in idea of what to guess for a password when that username/email is used somewhere else.

The problem is that passwords are predictable, reused, and can be brute-forced. There are many password lists with the most common passwords from other data breaches. These are gold mines for crackers. They’ll just use these lists and throw them at their GPUs which can guess millions of passwords per second. They rehash these passwords (perhaps using the salt that was also stolen) and see if there’s a match.

If you don’t want data breaches to not affect you, use a password manager and different passwords for every single site. And MFA wherever available.

So yeah, it’s bad.

If you personally have a good password, there’s no real worry, though it’s good practice to change your password anyways.

For the entire userbase it is a problem, because not everyone has a good password, so some amount of users will have passwords that are on or close to wordlists, and they will have their passwords cracked. A lot of them are likely to reuse passwords across sites, so their other accounts may also be in danger. It’s quite bad for the overall online ecosystem.

You are correct. If the passwords are well-salted, hashed, and use a good encryption algorithm, the biggest problem is probably mitigated. There are still a bunch of problems, though.

First and foremost, the emails themselves are still visible, so you can see who the users are. That’s not a big deal for a site like Reddit, but consider a site like “Ashley Madison,” the website for people who want to have extramarital affairs. It is a bad look if you’ve got an account there.

Second, companies by and large suck at cryptography. That means they probably did not salt things, or if they did they might’ve chosen an old standard, or they did something else boneheaded that ruined the security. Maybe they also stored an “email reset code” value for each user that can be used to change the passwords or something. It takes only one small mistake to ruin a security scheme, and most companies don’t exactly keep a cryptographer on staff.

Third, getting the passwords file means that the attacker now has unlimited time to solve the problem. Assuming that the company did everything right, it’s not really possible for hackers to get everybody’s password, but it’s very conceivable that they will be able to get at least ONE password, if they throw enough power at it. Maybe somebody’s salt lines up with a rainbow table they have around. Maybe someone’s salt just happened to be zero by chance. Maybe they just pick 1000 of the most common passwords and try it against all of the salts in the file. Yeah, they’re not going to get the admin’s password, but they very well might get somebody’s with enough work. To go with your metaphor: if an attacker breaks into your house and steals a safe, the money’s still secure, but now the safecracker has it in his house and can spend a month drilling a hole into it or trying every combination or who knows what else. It’s possible he might never get in, but it’s not guaranteed.

Most websites, in addition to hashing and salting, have some form of rate limiting to prevent brute force attacks. Having access to the password file lets you test all the passwords you want locally without that stopping you.