How does a database get hacked? A question about salting, etc.

Question

Bear with me, I have been only learning PHP for only a few weeks, so example code may confuse me. I think I finally understand salting! It's to protect passwords inside database, if breached.

What I don't understand is, why would a hacker have to crack hashes if they are trying to figure out a user's password (assuming that's their goal)? Wouldn't this be easier? Is the only defense from password guessing is to implement a limit of password entry X amount of times a day or CAPTCHA?

How would a database get hacked in the first place? Is it more password guessing or can hashes be obtained through MySQL injection?

Thanks!

Answer 1

The idea of salting and hashing is to protect the passwords in case the database has been compromised, whether it was by SQL injection, buffer overflow attacks or simply by going to the server room and pulling the disk out of your server. Salting won't protect you against password guesses, but help in case the attacker gets to the data.

Answer 2

Yes, salting is to protect against the passwords from ever being reversed into plaintext. It also stops someone from saying "the encrypted password is the same on site A as on site B, so the user has the same password in both places".

This isn't just to protect users against hackers; it's also to protect them against you.

Yes, the only defense against password guessing is to slow down or disallow repeated attempts. Most CAPTCHAs are breakable or broken, and you can't impose a CAPTCHA or guess limit on someone who has a copy of the raw database. So keep even the encrypted data out of the hands of malicious individuals. Don't let them at your .htpasswd or /etc/shadow file or your database.

If you are not using salt, generating a rainbow table (in advance) is much easier than guessing a very strong password directly. The key is that building the reverse mapping hash->password can be done once, and the (unsalted) hash is broken forever to anyone possessing the rainbow table.

The database could be hacked if your provider is compromised, if there is an injection vulnerability in your code, if your DB user account password is guessed, if your provider uses eBay to sell off the (presumed wiped) hard drive that had a three-year-old copy of your database on it... It can happen many ways.

Answer 3

The key here is that they're not trying to get the password of a user to use on your site, though after you fix the hole that might be useful. It's so that if, for whatever reason, your site is compromised, there isn't damage to you users. People have a tendency to duplicate passwords; that would be bad.

Answer 4

It might be foolish, but many people use the same passwords for different sites. If your database is compromised and the passwords are simply hashed, then there are techniques (e.g. rainbow tables, even a few web sites) that a hacker could use to find a password value that results in the same hash. That password could then be used to try and gain access to other sites where the user has an account.

If the passwords in your database are salted, then this becomes significantly harder... and if other web sites also salt their passwords with different salts to yours, then it becomes impractical for the hacker.