Is it safe to store a password in the form of a hash
Virtually anyone, even a novice developer, will tell you that passwords should be stored in the database only as a hash (for example, md5). This will ensure their safety and increase the security of the system as a whole. Is it really?
In fact, not so. Security, and safety, of course, will increase, but not very much. On the Internet for a long time there are bases of many password hashes. A three-minute search only on Yandex brought me to the following sites - MD5decrypter ( 568,002 hashes) and Insidepro ( 10,148,884 hashes). Not a little, right? And these are only open projects and only on md5. I think any serious hacker group has its bases, good, with the presence of botnets, distributed computing is no longer a problem.
Somebody will suggest the most quick-witted, but let's add our secret long prefix to the user password. Well, or do, for example, md5 from md5. The hacker will never guess about this and the password will not pick up.
Will not help. In fact, when a hash is cracked, it’s not the original password that is important for us, but the search for a collision. After all, it does not matter if we enter the password 76854 or Fhndkts if md5 ('76854 ′) coincides with md5 (' our_secret_line '.' 'Fhndkts').
The only problem is that there are a lot of options for hashes and they will occupy a very large place in the database. and the search for them will take a very long time.
However, this problem is solved with the help of Rainbow Tables. Using them, we reduce the size of the stored database and the speed of searching for a password by several orders of magnitude. More information about this can be found here and here . For the construction of such tables also need distributed calculations. And there are such projects - Rainbowcrack.com . The scale is impressive - 2,628 tables, 102,080,000,000 chains (about 1000-1500 passwords in each chain), 1.49 TB of data. There is also a Russian similar project , but so far they have achieved much less.
So how to store the password now?
denis.boltikov.ru
In fact, not so. Security, and safety, of course, will increase, but not very much. On the Internet for a long time there are bases of many password hashes. A three-minute search only on Yandex brought me to the following sites - MD5decrypter ( 568,002 hashes) and Insidepro ( 10,148,884 hashes). Not a little, right? And these are only open projects and only on md5. I think any serious hacker group has its bases, good, with the presence of botnets, distributed computing is no longer a problem.
Somebody will suggest the most quick-witted, but let's add our secret long prefix to the user password. Well, or do, for example, md5 from md5. The hacker will never guess about this and the password will not pick up.
Will not help. In fact, when a hash is cracked, it’s not the original password that is important for us, but the search for a collision. After all, it does not matter if we enter the password 76854 or Fhndkts if md5 ('76854 ′) coincides with md5 (' our_secret_line '.' 'Fhndkts').
The only problem is that there are a lot of options for hashes and they will occupy a very large place in the database. and the search for them will take a very long time.
However, this problem is solved with the help of Rainbow Tables. Using them, we reduce the size of the stored database and the speed of searching for a password by several orders of magnitude. More information about this can be found here and here . For the construction of such tables also need distributed calculations. And there are such projects - Rainbowcrack.com . The scale is impressive - 2,628 tables, 102,080,000,000 chains (about 1000-1500 passwords in each chain), 1.49 TB of data. There is also a Russian similar project , but so far they have achieved much less.
So how to store the password now?
denis.boltikov.ru
')
Source: https://habr.com/ru/post/17609/
All Articles