tags:

views:

55

answers:

3
Q: 

Security weak link

I've read a ton of information about hashing and salting passwords, do's, don't etc. The problem I see is this: If a hacker is going to go through the efforts of stealing the list of hashed passwords, doesn't he then have access to all the data that is password protected? It's like storing the combination to a safe, in the safe. Breaking in, and stealing the combination. If I were the thief, I would take the money.

Now a large company probably has a separate server just for authentication. However, the hacker wants data, not passwords. So if both servers are equal, I would break into the one that holds the data.

Is there some basic flaw of computer security that I am missing here? Are there non-social ways to crack a password without the hash file?

Thanks for your assistance.

--Dave

+4  A: 

One reason is that most users have the same password for multiple accounts. An unhashed password means my accounts on other sites could become compromised - especially since email is a common field for logins. By hashing passwords, if a site has their db stolen I'm protected from having my email account compromised at the same time.

Gavin Miller  2009-11-18 23:17:48
+4  A: 

You're assuming such a person has access to the entire database. This isn't always the case. They may have stumbled upon a page where the hashes are accidentally exposed to users (and thus have no access to other parts of the DB), or they may have used SQL injection to pull certain data out in manner that is limited (for example, they might have figured out that your users table is called users, but not that your credit cards table is called lolcats).

Another security consideration is your internal IT folks. Developers with legitimate access to the database generally still shouldn't be seeing everyone's passwords in plaintext.

ceejayoz  2009-11-18 23:23:07
+2  A: 

Most users will reuse passwords across multiple systems. If an attacker breaks into your system, you don't want him to be able to use your data to break into your users' accounts on different websites.

Also, if you encrypt data using the user's password, and only store a hash of the password, then an attacker won't be able to do anything even if he gets your entire database unless he can crack the hashes. Note that this would make it completely impossible to implement a 'forgot password' feature unless you have a way to decrypt the data using the security answer (making it in effect a second password)

SLaks  2009-11-18 23:24:20

related questions

Displaying Version Information in a Web Service
Example Web Service
SoapException: Root element is missing occurs when .NET web service called from Flex
Best practice for webservices
What is your preferred method of sending complex data over a web service?
.Net - Returning DataTables in WCF
Is it possible to return objects from a WebService?
How much extra overhead is generated when sending a file over a web service as a byte array?
Returning Large Results Via a Webservice
File Uploads via Web Services
best way to persist data in .NET Web Service
What is the difference between an endpoint, a service, and a port when working with webservices?
Calling REST web services from a classic asp page
Best way to write a RESTful service "client" in .Net?
Where can I find some good WS-Security introductions and tutorials?
ASP.NET Web Service Results, Proxy Classes and Type Conversion
Web Services -- WCF vs. Standard
C# WCF Service - Backward compatibility issue
Document or RPC based web services
How to easily consume a web service from PHP
Timer-based event triggers
How to pass enumerated values to a web service
Homegrown consumption of web services
How do I print an HTML document from a web service?
How do I fill a DataSet or a DataTable from a LINQ query resultset ?