How are passwords stolen from companies if they only store hashes?Why do some large companies still store passwords in plain text/decrypt-able format?I've heard that salt is not meant to be secret, but what if I made it secret?Email hacking mythHow to store passwords securely in my server?How secure are “pattern” passwords?Are bad passwords used to breach security in real life?What are the security implications of storing multiple hashes for similar passwords?How safe is it to store your passwords in web browsers?What are the security risks of logging the hash of rejected passwords?Trouble understanding how passwords are authenticated

How to prevent YouTube from showing already watched videos?

Resetting two CD4017 counters simultaneously, only one resets

Was the picture area of a CRT a parallelogram (instead of a true rectangle)?

Female=gender counterpart?

How do I rename a LINUX host without needing to reboot for the rename to take effect?

What if somebody invests in my application?

Can I Retrieve Email Addresses from BCC?

Can a Gentile theist be saved?

How can a jailer prevent the Forge Cleric's Artisan's Blessing from being used?

Is a naturally all "male" species possible?

Why isn't KTEX's runway designation 10/28 instead of 9/27?

Should a half Jewish man be discouraged from marrying a Jewess?

Can I use my Chinese passport to enter China after I acquired another citizenship?

How can I successfully establish a nationwide combat training program for a large country?

Who must act to prevent Brexit on March 29th?

Lightning Web Component - do I need to track changes for every single input field in a form

Simple recursive Sudoku solver

Why is delta-v is the most useful quantity for planning space travel?

Did US corporations pay demonstrators in the German demonstrations against article 13?

Books on the History of math research at European universities

Is there a problem with hiding "forgot password" until it's needed?

Golf game boilerplate

Is there an Impartial Brexit Deal comparison site?

Is there an wasy way to program in Tikz something like the one in the image?



How are passwords stolen from companies if they only store hashes?


Why do some large companies still store passwords in plain text/decrypt-able format?I've heard that salt is not meant to be secret, but what if I made it secret?Email hacking mythHow to store passwords securely in my server?How secure are “pattern” passwords?Are bad passwords used to breach security in real life?What are the security implications of storing multiple hashes for similar passwords?How safe is it to store your passwords in web browsers?What are the security risks of logging the hash of rejected passwords?Trouble understanding how passwords are authenticated













54















Everywhere I look it says servers store passwords in hashed form, but then you have those breaking news about hackers stealing passwords from large companies. What am I missing?










share|improve this question

















  • 7





    Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.

    – peterh
    Mar 16 at 21:04







  • 136





    "Everywhere I look it says servers store passwords in hashed form" No, it says servers should store passwords in hashed form!!

    – Lightness Races in Orbit
    Mar 17 at 1:18






  • 14





    If you password is "123abc", no amount of hashing, salting or peppering will keep your account secure once the database is stolen.

    – Dmitry Grigoryev
    Mar 18 at 9:02






  • 1





    You also need to educate people about security. If your password has enough entropy, you use hashes and salt but your employees write down passwords on post-it and leave them around, or just give them to that colleague who "really needs that file on the server" you will have problems. Look up "Social Engineering"

    – Axel2D
    Mar 18 at 15:55







  • 6





    I worked a food counter for long enough that for a half-dozen combos, if you told me a customer's total, I could tell you what they ordered, without a receipt or knowledge of their particular order.

    – dandavis
    Mar 18 at 19:02
















54















Everywhere I look it says servers store passwords in hashed form, but then you have those breaking news about hackers stealing passwords from large companies. What am I missing?










share|improve this question

















  • 7





    Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.

    – peterh
    Mar 16 at 21:04







  • 136





    "Everywhere I look it says servers store passwords in hashed form" No, it says servers should store passwords in hashed form!!

    – Lightness Races in Orbit
    Mar 17 at 1:18






  • 14





    If you password is "123abc", no amount of hashing, salting or peppering will keep your account secure once the database is stolen.

    – Dmitry Grigoryev
    Mar 18 at 9:02






  • 1





    You also need to educate people about security. If your password has enough entropy, you use hashes and salt but your employees write down passwords on post-it and leave them around, or just give them to that colleague who "really needs that file on the server" you will have problems. Look up "Social Engineering"

    – Axel2D
    Mar 18 at 15:55







  • 6





    I worked a food counter for long enough that for a half-dozen combos, if you told me a customer's total, I could tell you what they ordered, without a receipt or knowledge of their particular order.

    – dandavis
    Mar 18 at 19:02














54












54








54


9






Everywhere I look it says servers store passwords in hashed form, but then you have those breaking news about hackers stealing passwords from large companies. What am I missing?










share|improve this question














Everywhere I look it says servers store passwords in hashed form, but then you have those breaking news about hackers stealing passwords from large companies. What am I missing?







passwords






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Mar 16 at 19:44









W2aW2a

376124




376124







  • 7





    Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.

    – peterh
    Mar 16 at 21:04







  • 136





    "Everywhere I look it says servers store passwords in hashed form" No, it says servers should store passwords in hashed form!!

    – Lightness Races in Orbit
    Mar 17 at 1:18






  • 14





    If you password is "123abc", no amount of hashing, salting or peppering will keep your account secure once the database is stolen.

    – Dmitry Grigoryev
    Mar 18 at 9:02






  • 1





    You also need to educate people about security. If your password has enough entropy, you use hashes and salt but your employees write down passwords on post-it and leave them around, or just give them to that colleague who "really needs that file on the server" you will have problems. Look up "Social Engineering"

    – Axel2D
    Mar 18 at 15:55







  • 6





    I worked a food counter for long enough that for a half-dozen combos, if you told me a customer's total, I could tell you what they ordered, without a receipt or knowledge of their particular order.

    – dandavis
    Mar 18 at 19:02













  • 7





    Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.

    – peterh
    Mar 16 at 21:04







  • 136





    "Everywhere I look it says servers store passwords in hashed form" No, it says servers should store passwords in hashed form!!

    – Lightness Races in Orbit
    Mar 17 at 1:18






  • 14





    If you password is "123abc", no amount of hashing, salting or peppering will keep your account secure once the database is stolen.

    – Dmitry Grigoryev
    Mar 18 at 9:02






  • 1





    You also need to educate people about security. If your password has enough entropy, you use hashes and salt but your employees write down passwords on post-it and leave them around, or just give them to that colleague who "really needs that file on the server" you will have problems. Look up "Social Engineering"

    – Axel2D
    Mar 18 at 15:55







  • 6





    I worked a food counter for long enough that for a half-dozen combos, if you told me a customer's total, I could tell you what they ordered, without a receipt or knowledge of their particular order.

    – dandavis
    Mar 18 at 19:02








7




7





Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.

– peterh
Mar 16 at 21:04






Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.

– peterh
Mar 16 at 21:04





136




136





"Everywhere I look it says servers store passwords in hashed form" No, it says servers should store passwords in hashed form!!

– Lightness Races in Orbit
Mar 17 at 1:18





"Everywhere I look it says servers store passwords in hashed form" No, it says servers should store passwords in hashed form!!

– Lightness Races in Orbit
Mar 17 at 1:18




14




14





If you password is "123abc", no amount of hashing, salting or peppering will keep your account secure once the database is stolen.

– Dmitry Grigoryev
Mar 18 at 9:02





If you password is "123abc", no amount of hashing, salting or peppering will keep your account secure once the database is stolen.

– Dmitry Grigoryev
Mar 18 at 9:02




1




1





You also need to educate people about security. If your password has enough entropy, you use hashes and salt but your employees write down passwords on post-it and leave them around, or just give them to that colleague who "really needs that file on the server" you will have problems. Look up "Social Engineering"

– Axel2D
Mar 18 at 15:55






You also need to educate people about security. If your password has enough entropy, you use hashes and salt but your employees write down passwords on post-it and leave them around, or just give them to that colleague who "really needs that file on the server" you will have problems. Look up "Social Engineering"

– Axel2D
Mar 18 at 15:55





6




6





I worked a food counter for long enough that for a half-dozen combos, if you told me a customer's total, I could tell you what they ordered, without a receipt or knowledge of their particular order.

– dandavis
Mar 18 at 19:02






I worked a food counter for long enough that for a half-dozen combos, if you told me a customer's total, I could tell you what they ordered, without a receipt or knowledge of their particular order.

– dandavis
Mar 18 at 19:02











8 Answers
8






active

oldest

votes


















85














There are two common failings, over and above letting the databases or files get stolen in the first place.



Unfortunately, and against all security recommendations, many systems still store plain text passwords.



Hashed passwords are technically not reversible, but as has been pointed out by others, it's possible to hash millions of password guesses then simply look for matches. In fact, what usually happens is that tables of pre-computed passwords and hashes (Rainbow Tables) are available and used to look for matches. A good rainbow table can support a high percentage match in fractions of a second per password hash.



Using a salt (an extra non-secret extension of the password) in the hash prevents the use of pre-computed rainbow tables.



Most compromisers depend upon rainbow tables. Computing their own hash set is certainly possible, but it's extremely time consuming (as in months or longer), so it's generally the vanilla hash that's vulnerable.



Using a salt stops rainbow tables, and a high round count of hashed hashes of hashes can make brute force transition from months to years or longer. Most institutions simply don't implement this level of security.






share|improve this answer




















  • 35





    I disagree with your statement "most compromisers depend upon rainbow tables". While they are useful in some situations, evidence suggests password cracking is still more popular since it is remains useful regardless of salting, different hash types, and iterative hashing.

    – PwdRsch
    Mar 17 at 19:54






  • 5





    Salts don't prevent the use of precomputed rainbow tables or stop rainbow tables. They merely make it orders of magnitude harder. Remember, it's possible (but so unlikely we can safely pretend it will never happen) that a random number generator could guess your password on the first try.

    – CJ Dennis
    Mar 17 at 23:16






  • 2





    "Hashed passwords are technically not reversible"... true but misleading, since you don't need to reverse it, you just need a preimage that hashes to the same thing.

    – Mehrdad
    Mar 18 at 1:02






  • 9





    "...many systems still store plain text passwords." Yup. About 2 years ago, we received a copy of a database that we were building a replacement for. (We were going to migrate data over.) Whoever dumped it and sent it to us didn't bother to scrub all the plain text passwords from it, meaning I could have gone in an impersonated anyone I wanted on a live government system.

    – jpmc26
    Mar 18 at 18:17







  • 5





    The website plaintextoffenders.com maintains a list of companies found to be storing your passwords in plaintext or some other recoverable format. The list currently has over 5,000 entries.

    – anaximander
    Mar 19 at 9:31


















30














When you hear that passwords got stolen, sometimes companies will report it even if it's just hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately, there are still companies that store their passwords incorrectly; for example, if you search for the rockyou password breach, you'll find that they were storing their passwords in clear text, which means that they were compromised as soon as they were stolen. In other cases, such as the Adobe password breach, there was mishandling of storing the encrypted passwords in their database. Other times, companies use hashing on their passwords but use insecure hashing algorithms or they don't salt their passwords properly. In short, if a company follows recommended password storage methods, the passwords in theory should be safe in their hashed form, but a good company will still inform their customers of the breach. However, there are plenty of examples where companies do not store passwords correctly leading them to be cracked quite quickly.






share|improve this answer




















  • 2





    And even if you do everything right, stealing all the hashed passwords (along with usernames or e-mails, presumably) makes it much easier to do other attacks on the passwords - especially with old mechanisms like MD5, salting or not. And given that most people use the same password on multiple sites, and the passwords are still quite weak often enough... Granted, if you use a good slow hash with proper salting, the impact is very low.

    – Luaan
    Mar 18 at 8:16


















19














You hash a large number of potential passwords*, then check whether each output matches any hashes from the stolen password database. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.



When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)



* If salts are used, then the cracker must consider those too. If each account uses a unique salt then crackers can't simply target everyone by hashing every candidate password once. If multiple accounts are being targeted then the password you want to try has to be hashed one time for each salt. If password hashes are unsalted or all use the same salt it's a lot easier to do untargeted attacks; you would only need to hash a candidate password once to figure out the full list of users that had that password. Salts also render useless attempts to use precomputing of hashes to save cracking effort. Salts DO NOT reduce the number of hashes that need to be evaluated if only one account is being targeted. Those nuances aside, the basis of password cracking remains a guess and check process.




Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)



However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.



If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.




Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)



The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)



Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.




There are other ways passwords can get stolen which don't stem from a copy of a database of password hashes getting leaked. Plaintext login information could be logged. (By observing unencrypted/decrypted network traffic, by hacking and rewriting server code, or utilizing client side bugs, for example.) Then that log can be exfiltrated.



And of course some companies might not have been using secure password verification schemes in the first place or may leak the plaintext through a bug1,2.



Despite the alternative explanations for some instances of mass password breaches, plaintext passwords recovery from password hashes is common and effective. It is not so effective, however, that 100% of the hashes in every large database leak will be recovered.



If passwords are processed with a cryptographic hash function, then users with extremely strong passwords do not need to be as worried as typical users. (But most people over estimate password strength and their own cleverness.) After spending significant resources to crack 99% of the hashes it probably isn't worth it or practical to crack the last 1%. But strong passwords are no good if passwords aren't hashed.



Developers should use a password stretching algorithm. These algorithms just try to make password hashing more expensive. (For both legitimate users and password crackers.) Argon2 is currently the best password stretching algorithm, especially on Intel/ARM CPUs. Argon2 specifically can go a very long way to reduce the fraction of hashes which will get cracked. (Weak passwords will still be crackable.)






share|improve this answer




















  • 1





    "You hash a large number of passwords, then check if the output matches any of the stored hashes." Salting defeates this.

    – Taemyr
    Mar 19 at 6:51











  • @Taemyr It's not clear to me this means pre-computed hashes, though it could be a little clearer. Salting only makes dictionary attacks more computationally difficult, and pre-computation impossible.

    – Steve Sether
    Mar 19 at 17:16











  • @Taemyr Except if they have managed to compromise your systems enough to steal your database, they may also have managed to steal your salt.

    – Dijkgraaf
    Mar 19 at 18:03











  • I did not want to complicate things further by going into salting but at this point I may as well since the question got more traffic. Ideally I would state the same information in a simpler more organized format... The web tends to oversimplify the reason for using salts to "it's more secure" or "it's totally secure". They make the herd safer, but not the individual. Salts can be completely effective against "reversing" hashes using lookup tables. They don't do much at all to slow down targeted attacks. But anyone not using long random unique salts has made a massive mistake. Also, use Argon2

    – Future Security
    Mar 20 at 5:21


















17














Many possibilities:



  1. Even though passwords should be hashed before storage, it's not always the case. Sadly, even today, there are still plenty of passwords stored as cleartext. Steal database, get all passwords.


  2. Passwords could be stored somewhere else. Passwords could be included in logs, for instance. Steal logs, get all passwords that were used in those logs.


  3. Passwords could be hashed but not salted. So you build a list of password -> hash combinations based on all sorts of passwords. You reverse this table so it becomes hash -> password (lookup table). Get database, convert hashes to passwords, get lots of passwords.


  4. Passwords are hashed and salted. But lots of users use very weak passwords (123456, password, letmein, qwerty...). Try lists of passwords against those hashes. Get database, make a dictionary attack on hashes, get lots of passwords.


  5. Variation on the previous one, instead of a pre-determined list of passwords, try passwords based on other information you have about the user (username, first name, last name, date of birth, e-mail...).


  6. Yet another variation, as many users re-use the same password: try passwords for the same e-mail/username recovered from other breaches.


  7. Yet another variation, when there is a strong password policy in place which requires changing passwords on a regular basis: if you have a previous password for the user, just try changing the final numbers: if user had password "joe12" at one point, try joe13, joe14, joe15... If you have the date the initial password was valid and know the password change interval, it can be quite quick.


  8. Passwords are hashed and salted, but use weak (fast) hashes. Same as #4-7, but you can do a lot more attempts a lot more quickly, so you can try a larger dictionary, or even try quite systematically all combinations (brute force attack).


  9. Communication between clients and servers are susceptible to man-in-the-middle (MITM) attacks. Passwords are captured on the way.


  10. You perform social engineering. "Hello, this is the IT department, there's an issue with your account, we need to reset something, can you give me your password"? You'd be amazed how often that works if properly framed.


  11. Mass social engineering, aka phishing: send a mass e-mail campaign asking to log into a site which will capture all those passwords.


  12. Hack into the site, and modify it so it sends all passwords received to a remote server (or logs them to a file you'll retrieve later).


  13. Ditto, but modify client-side code to do it. Could be as easy as a stored XSS hack.


  14. A variation on the above: keyloggers.


There's probably quite a few more methods, but that gives you an idea of how easy it can be to recover tons of passwords.






share|improve this answer

























  • Number 7 for me is just genious

    – gota
    Mar 19 at 17:15











  • This is by far the most complete and accurate answer.

    – Steve Sether
    Mar 19 at 17:18


















6














As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.



If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).



In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in any way secure.



Let's say a company has 1000 customer passwords, all of which are hashed.



Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.



"5 minutes?! But they were hashed!"....



Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.



Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:



Password: Security



MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45



I then just run some favorable hacking tools against those hashes to "crack" them.



Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead, research the stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.



The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).






share|improve this answer




















  • 12





    Just to note that with a weak password like 'Security', you don't even need a cracking tool, you can just Google 2FAE32629D4EF4FC6341F1751B405E45

    – richardb
    Mar 17 at 15:15






  • 3





    And even more so, now that this article is indexed!

    – Mark K Cowan
    Mar 18 at 17:47











  • Just as a note: While MD5 should not be used at all in preference to newer algorithms like SHA2 or SHA3, for password hashing those are almost equally bad, just because they are too fast. Use an iterated hash like PBKDF2, bcrypt or scrypt with suitable security parameters instead.

    – Paŭlo Ebermann
    2 days ago


















0














One particularly important point is that when the password database is secure and only accessible to the legitimate service, someone trying to access an account can only try them out individually via the legitimate service. Repeated failed attempts can be noticed, an automated alert provided, and appropriate action taken to limit further login attempts from the same source.



Once the password database is stolen, and details of the hashing algorithm are known, the person(s) in possession of the stolen password database can try millions or billions of passwords against their copy of the database without causing any further alert to anyone, and when they've found one that works on their offline copy, only then do they attempt to access the legitimate service impersonating one of the users of that service (maybe you!).



A significant proportion of users have passwords that are likely to be in the first billion that an attacker would try, so it's only a matter of a relatively short amount of time before the attacker can access a significant proportion of accounts.



Those users who really do have strong passwords, should be able to safely ignore a compromise where only hashed passwords were leaked, but many users do not in fact have sufficiently strong passwords to resist this kind of offline attack, merely ones that seem strong enough to the sites automated password strength checker, which is normally more concerned about ensuring accounts are sufficiently strong to resist online attacks against the legitimate service.






share|improve this answer








New contributor




Steve is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



























    -1














    Also take the following attack vector into consideration for web applications:



    If the attacker can modify the frontend code, then with a small script the plaintext passwords could be "sniffed" for a while.



    If the script can be injected from the backend, then it could be set to only show for visitors from certain countries to better protect against malicious frontend code change detection automations in place running in the same country where the application is being run from.






    share|improve this answer






























      -2














      While storing passwords in hashed form is desirable, it can also pose some difficulties. If it is necessary for one entity to issue a request to another entity on behalf of a user, and the second entity requires submission of plaintext passwords for validation, the first entity will need to hold the user's password in a form that would be convertible to plaintext.



      To allow for this, companies may store passwords in various kinds of hardware security modules which audit all attempts to retrieve passwords from them. This approach mitigates many of the dangers involved with plaintext password storage. It can't mitigate all of the dangers, but if an entity is supposed to have authority to access an outside entity on behalf of a user, and the outside entity won't accept anything other than the user's password as evidence of that authority, some of the dangers associated with plain-text passwords will be inescapable no matter what the first entity tries to do.






      share|improve this answer






















        Your Answer








        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "162"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader:
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        ,
        noCode: true, onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );













        draft saved

        draft discarded


















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205519%2fhow-are-passwords-stolen-from-companies-if-they-only-store-hashes%23new-answer', 'question_page');

        );

        Post as a guest















        Required, but never shown

























        8 Answers
        8






        active

        oldest

        votes








        8 Answers
        8






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        85














        There are two common failings, over and above letting the databases or files get stolen in the first place.



        Unfortunately, and against all security recommendations, many systems still store plain text passwords.



        Hashed passwords are technically not reversible, but as has been pointed out by others, it's possible to hash millions of password guesses then simply look for matches. In fact, what usually happens is that tables of pre-computed passwords and hashes (Rainbow Tables) are available and used to look for matches. A good rainbow table can support a high percentage match in fractions of a second per password hash.



        Using a salt (an extra non-secret extension of the password) in the hash prevents the use of pre-computed rainbow tables.



        Most compromisers depend upon rainbow tables. Computing their own hash set is certainly possible, but it's extremely time consuming (as in months or longer), so it's generally the vanilla hash that's vulnerable.



        Using a salt stops rainbow tables, and a high round count of hashed hashes of hashes can make brute force transition from months to years or longer. Most institutions simply don't implement this level of security.






        share|improve this answer




















        • 35





          I disagree with your statement "most compromisers depend upon rainbow tables". While they are useful in some situations, evidence suggests password cracking is still more popular since it is remains useful regardless of salting, different hash types, and iterative hashing.

          – PwdRsch
          Mar 17 at 19:54






        • 5





          Salts don't prevent the use of precomputed rainbow tables or stop rainbow tables. They merely make it orders of magnitude harder. Remember, it's possible (but so unlikely we can safely pretend it will never happen) that a random number generator could guess your password on the first try.

          – CJ Dennis
          Mar 17 at 23:16






        • 2





          "Hashed passwords are technically not reversible"... true but misleading, since you don't need to reverse it, you just need a preimage that hashes to the same thing.

          – Mehrdad
          Mar 18 at 1:02






        • 9





          "...many systems still store plain text passwords." Yup. About 2 years ago, we received a copy of a database that we were building a replacement for. (We were going to migrate data over.) Whoever dumped it and sent it to us didn't bother to scrub all the plain text passwords from it, meaning I could have gone in an impersonated anyone I wanted on a live government system.

          – jpmc26
          Mar 18 at 18:17







        • 5





          The website plaintextoffenders.com maintains a list of companies found to be storing your passwords in plaintext or some other recoverable format. The list currently has over 5,000 entries.

          – anaximander
          Mar 19 at 9:31















        85














        There are two common failings, over and above letting the databases or files get stolen in the first place.



        Unfortunately, and against all security recommendations, many systems still store plain text passwords.



        Hashed passwords are technically not reversible, but as has been pointed out by others, it's possible to hash millions of password guesses then simply look for matches. In fact, what usually happens is that tables of pre-computed passwords and hashes (Rainbow Tables) are available and used to look for matches. A good rainbow table can support a high percentage match in fractions of a second per password hash.



        Using a salt (an extra non-secret extension of the password) in the hash prevents the use of pre-computed rainbow tables.



        Most compromisers depend upon rainbow tables. Computing their own hash set is certainly possible, but it's extremely time consuming (as in months or longer), so it's generally the vanilla hash that's vulnerable.



        Using a salt stops rainbow tables, and a high round count of hashed hashes of hashes can make brute force transition from months to years or longer. Most institutions simply don't implement this level of security.






        share|improve this answer




















        • 35





          I disagree with your statement "most compromisers depend upon rainbow tables". While they are useful in some situations, evidence suggests password cracking is still more popular since it is remains useful regardless of salting, different hash types, and iterative hashing.

          – PwdRsch
          Mar 17 at 19:54






        • 5





          Salts don't prevent the use of precomputed rainbow tables or stop rainbow tables. They merely make it orders of magnitude harder. Remember, it's possible (but so unlikely we can safely pretend it will never happen) that a random number generator could guess your password on the first try.

          – CJ Dennis
          Mar 17 at 23:16






        • 2





          "Hashed passwords are technically not reversible"... true but misleading, since you don't need to reverse it, you just need a preimage that hashes to the same thing.

          – Mehrdad
          Mar 18 at 1:02






        • 9





          "...many systems still store plain text passwords." Yup. About 2 years ago, we received a copy of a database that we were building a replacement for. (We were going to migrate data over.) Whoever dumped it and sent it to us didn't bother to scrub all the plain text passwords from it, meaning I could have gone in an impersonated anyone I wanted on a live government system.

          – jpmc26
          Mar 18 at 18:17







        • 5





          The website plaintextoffenders.com maintains a list of companies found to be storing your passwords in plaintext or some other recoverable format. The list currently has over 5,000 entries.

          – anaximander
          Mar 19 at 9:31













        85












        85








        85







        There are two common failings, over and above letting the databases or files get stolen in the first place.



        Unfortunately, and against all security recommendations, many systems still store plain text passwords.



        Hashed passwords are technically not reversible, but as has been pointed out by others, it's possible to hash millions of password guesses then simply look for matches. In fact, what usually happens is that tables of pre-computed passwords and hashes (Rainbow Tables) are available and used to look for matches. A good rainbow table can support a high percentage match in fractions of a second per password hash.



        Using a salt (an extra non-secret extension of the password) in the hash prevents the use of pre-computed rainbow tables.



        Most compromisers depend upon rainbow tables. Computing their own hash set is certainly possible, but it's extremely time consuming (as in months or longer), so it's generally the vanilla hash that's vulnerable.



        Using a salt stops rainbow tables, and a high round count of hashed hashes of hashes can make brute force transition from months to years or longer. Most institutions simply don't implement this level of security.






        share|improve this answer















        There are two common failings, over and above letting the databases or files get stolen in the first place.



        Unfortunately, and against all security recommendations, many systems still store plain text passwords.



        Hashed passwords are technically not reversible, but as has been pointed out by others, it's possible to hash millions of password guesses then simply look for matches. In fact, what usually happens is that tables of pre-computed passwords and hashes (Rainbow Tables) are available and used to look for matches. A good rainbow table can support a high percentage match in fractions of a second per password hash.



        Using a salt (an extra non-secret extension of the password) in the hash prevents the use of pre-computed rainbow tables.



        Most compromisers depend upon rainbow tables. Computing their own hash set is certainly possible, but it's extremely time consuming (as in months or longer), so it's generally the vanilla hash that's vulnerable.



        Using a salt stops rainbow tables, and a high round count of hashed hashes of hashes can make brute force transition from months to years or longer. Most institutions simply don't implement this level of security.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Mar 18 at 14:28









        scohe001

        1226




        1226










        answered Mar 16 at 23:42









        user10216038user10216038

        1,350310




        1,350310







        • 35





          I disagree with your statement "most compromisers depend upon rainbow tables". While they are useful in some situations, evidence suggests password cracking is still more popular since it is remains useful regardless of salting, different hash types, and iterative hashing.

          – PwdRsch
          Mar 17 at 19:54






        • 5





          Salts don't prevent the use of precomputed rainbow tables or stop rainbow tables. They merely make it orders of magnitude harder. Remember, it's possible (but so unlikely we can safely pretend it will never happen) that a random number generator could guess your password on the first try.

          – CJ Dennis
          Mar 17 at 23:16






        • 2





          "Hashed passwords are technically not reversible"... true but misleading, since you don't need to reverse it, you just need a preimage that hashes to the same thing.

          – Mehrdad
          Mar 18 at 1:02






        • 9





          "...many systems still store plain text passwords." Yup. About 2 years ago, we received a copy of a database that we were building a replacement for. (We were going to migrate data over.) Whoever dumped it and sent it to us didn't bother to scrub all the plain text passwords from it, meaning I could have gone in an impersonated anyone I wanted on a live government system.

          – jpmc26
          Mar 18 at 18:17







        • 5





          The website plaintextoffenders.com maintains a list of companies found to be storing your passwords in plaintext or some other recoverable format. The list currently has over 5,000 entries.

          – anaximander
          Mar 19 at 9:31












        • 35





          I disagree with your statement "most compromisers depend upon rainbow tables". While they are useful in some situations, evidence suggests password cracking is still more popular since it is remains useful regardless of salting, different hash types, and iterative hashing.

          – PwdRsch
          Mar 17 at 19:54






        • 5





          Salts don't prevent the use of precomputed rainbow tables or stop rainbow tables. They merely make it orders of magnitude harder. Remember, it's possible (but so unlikely we can safely pretend it will never happen) that a random number generator could guess your password on the first try.

          – CJ Dennis
          Mar 17 at 23:16






        • 2





          "Hashed passwords are technically not reversible"... true but misleading, since you don't need to reverse it, you just need a preimage that hashes to the same thing.

          – Mehrdad
          Mar 18 at 1:02






        • 9





          "...many systems still store plain text passwords." Yup. About 2 years ago, we received a copy of a database that we were building a replacement for. (We were going to migrate data over.) Whoever dumped it and sent it to us didn't bother to scrub all the plain text passwords from it, meaning I could have gone in an impersonated anyone I wanted on a live government system.

          – jpmc26
          Mar 18 at 18:17







        • 5





          The website plaintextoffenders.com maintains a list of companies found to be storing your passwords in plaintext or some other recoverable format. The list currently has over 5,000 entries.

          – anaximander
          Mar 19 at 9:31







        35




        35





        I disagree with your statement "most compromisers depend upon rainbow tables". While they are useful in some situations, evidence suggests password cracking is still more popular since it is remains useful regardless of salting, different hash types, and iterative hashing.

        – PwdRsch
        Mar 17 at 19:54





        I disagree with your statement "most compromisers depend upon rainbow tables". While they are useful in some situations, evidence suggests password cracking is still more popular since it is remains useful regardless of salting, different hash types, and iterative hashing.

        – PwdRsch
        Mar 17 at 19:54




        5




        5





        Salts don't prevent the use of precomputed rainbow tables or stop rainbow tables. They merely make it orders of magnitude harder. Remember, it's possible (but so unlikely we can safely pretend it will never happen) that a random number generator could guess your password on the first try.

        – CJ Dennis
        Mar 17 at 23:16





        Salts don't prevent the use of precomputed rainbow tables or stop rainbow tables. They merely make it orders of magnitude harder. Remember, it's possible (but so unlikely we can safely pretend it will never happen) that a random number generator could guess your password on the first try.

        – CJ Dennis
        Mar 17 at 23:16




        2




        2





        "Hashed passwords are technically not reversible"... true but misleading, since you don't need to reverse it, you just need a preimage that hashes to the same thing.

        – Mehrdad
        Mar 18 at 1:02





        "Hashed passwords are technically not reversible"... true but misleading, since you don't need to reverse it, you just need a preimage that hashes to the same thing.

        – Mehrdad
        Mar 18 at 1:02




        9




        9





        "...many systems still store plain text passwords." Yup. About 2 years ago, we received a copy of a database that we were building a replacement for. (We were going to migrate data over.) Whoever dumped it and sent it to us didn't bother to scrub all the plain text passwords from it, meaning I could have gone in an impersonated anyone I wanted on a live government system.

        – jpmc26
        Mar 18 at 18:17






        "...many systems still store plain text passwords." Yup. About 2 years ago, we received a copy of a database that we were building a replacement for. (We were going to migrate data over.) Whoever dumped it and sent it to us didn't bother to scrub all the plain text passwords from it, meaning I could have gone in an impersonated anyone I wanted on a live government system.

        – jpmc26
        Mar 18 at 18:17





        5




        5





        The website plaintextoffenders.com maintains a list of companies found to be storing your passwords in plaintext or some other recoverable format. The list currently has over 5,000 entries.

        – anaximander
        Mar 19 at 9:31





        The website plaintextoffenders.com maintains a list of companies found to be storing your passwords in plaintext or some other recoverable format. The list currently has over 5,000 entries.

        – anaximander
        Mar 19 at 9:31













        30














        When you hear that passwords got stolen, sometimes companies will report it even if it's just hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately, there are still companies that store their passwords incorrectly; for example, if you search for the rockyou password breach, you'll find that they were storing their passwords in clear text, which means that they were compromised as soon as they were stolen. In other cases, such as the Adobe password breach, there was mishandling of storing the encrypted passwords in their database. Other times, companies use hashing on their passwords but use insecure hashing algorithms or they don't salt their passwords properly. In short, if a company follows recommended password storage methods, the passwords in theory should be safe in their hashed form, but a good company will still inform their customers of the breach. However, there are plenty of examples where companies do not store passwords correctly leading them to be cracked quite quickly.






        share|improve this answer




















        • 2





          And even if you do everything right, stealing all the hashed passwords (along with usernames or e-mails, presumably) makes it much easier to do other attacks on the passwords - especially with old mechanisms like MD5, salting or not. And given that most people use the same password on multiple sites, and the passwords are still quite weak often enough... Granted, if you use a good slow hash with proper salting, the impact is very low.

          – Luaan
          Mar 18 at 8:16















        30














        When you hear that passwords got stolen, sometimes companies will report it even if it's just hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately, there are still companies that store their passwords incorrectly; for example, if you search for the rockyou password breach, you'll find that they were storing their passwords in clear text, which means that they were compromised as soon as they were stolen. In other cases, such as the Adobe password breach, there was mishandling of storing the encrypted passwords in their database. Other times, companies use hashing on their passwords but use insecure hashing algorithms or they don't salt their passwords properly. In short, if a company follows recommended password storage methods, the passwords in theory should be safe in their hashed form, but a good company will still inform their customers of the breach. However, there are plenty of examples where companies do not store passwords correctly leading them to be cracked quite quickly.






        share|improve this answer




















        • 2





          And even if you do everything right, stealing all the hashed passwords (along with usernames or e-mails, presumably) makes it much easier to do other attacks on the passwords - especially with old mechanisms like MD5, salting or not. And given that most people use the same password on multiple sites, and the passwords are still quite weak often enough... Granted, if you use a good slow hash with proper salting, the impact is very low.

          – Luaan
          Mar 18 at 8:16













        30












        30








        30







        When you hear that passwords got stolen, sometimes companies will report it even if it's just hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately, there are still companies that store their passwords incorrectly; for example, if you search for the rockyou password breach, you'll find that they were storing their passwords in clear text, which means that they were compromised as soon as they were stolen. In other cases, such as the Adobe password breach, there was mishandling of storing the encrypted passwords in their database. Other times, companies use hashing on their passwords but use insecure hashing algorithms or they don't salt their passwords properly. In short, if a company follows recommended password storage methods, the passwords in theory should be safe in their hashed form, but a good company will still inform their customers of the breach. However, there are plenty of examples where companies do not store passwords correctly leading them to be cracked quite quickly.






        share|improve this answer















        When you hear that passwords got stolen, sometimes companies will report it even if it's just hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately, there are still companies that store their passwords incorrectly; for example, if you search for the rockyou password breach, you'll find that they were storing their passwords in clear text, which means that they were compromised as soon as they were stolen. In other cases, such as the Adobe password breach, there was mishandling of storing the encrypted passwords in their database. Other times, companies use hashing on their passwords but use insecure hashing algorithms or they don't salt their passwords properly. In short, if a company follows recommended password storage methods, the passwords in theory should be safe in their hashed form, but a good company will still inform their customers of the breach. However, there are plenty of examples where companies do not store passwords correctly leading them to be cracked quite quickly.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Mar 17 at 20:28









        jwodder

        15316




        15316










        answered Mar 16 at 20:28









        Dam30nDam30n

        41123




        41123







        • 2





          And even if you do everything right, stealing all the hashed passwords (along with usernames or e-mails, presumably) makes it much easier to do other attacks on the passwords - especially with old mechanisms like MD5, salting or not. And given that most people use the same password on multiple sites, and the passwords are still quite weak often enough... Granted, if you use a good slow hash with proper salting, the impact is very low.

          – Luaan
          Mar 18 at 8:16












        • 2





          And even if you do everything right, stealing all the hashed passwords (along with usernames or e-mails, presumably) makes it much easier to do other attacks on the passwords - especially with old mechanisms like MD5, salting or not. And given that most people use the same password on multiple sites, and the passwords are still quite weak often enough... Granted, if you use a good slow hash with proper salting, the impact is very low.

          – Luaan
          Mar 18 at 8:16







        2




        2





        And even if you do everything right, stealing all the hashed passwords (along with usernames or e-mails, presumably) makes it much easier to do other attacks on the passwords - especially with old mechanisms like MD5, salting or not. And given that most people use the same password on multiple sites, and the passwords are still quite weak often enough... Granted, if you use a good slow hash with proper salting, the impact is very low.

        – Luaan
        Mar 18 at 8:16





        And even if you do everything right, stealing all the hashed passwords (along with usernames or e-mails, presumably) makes it much easier to do other attacks on the passwords - especially with old mechanisms like MD5, salting or not. And given that most people use the same password on multiple sites, and the passwords are still quite weak often enough... Granted, if you use a good slow hash with proper salting, the impact is very low.

        – Luaan
        Mar 18 at 8:16











        19














        You hash a large number of potential passwords*, then check whether each output matches any hashes from the stolen password database. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.



        When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)



        * If salts are used, then the cracker must consider those too. If each account uses a unique salt then crackers can't simply target everyone by hashing every candidate password once. If multiple accounts are being targeted then the password you want to try has to be hashed one time for each salt. If password hashes are unsalted or all use the same salt it's a lot easier to do untargeted attacks; you would only need to hash a candidate password once to figure out the full list of users that had that password. Salts also render useless attempts to use precomputing of hashes to save cracking effort. Salts DO NOT reduce the number of hashes that need to be evaluated if only one account is being targeted. Those nuances aside, the basis of password cracking remains a guess and check process.




        Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)



        However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.



        If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.




        Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)



        The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)



        Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.




        There are other ways passwords can get stolen which don't stem from a copy of a database of password hashes getting leaked. Plaintext login information could be logged. (By observing unencrypted/decrypted network traffic, by hacking and rewriting server code, or utilizing client side bugs, for example.) Then that log can be exfiltrated.



        And of course some companies might not have been using secure password verification schemes in the first place or may leak the plaintext through a bug1,2.



        Despite the alternative explanations for some instances of mass password breaches, plaintext passwords recovery from password hashes is common and effective. It is not so effective, however, that 100% of the hashes in every large database leak will be recovered.



        If passwords are processed with a cryptographic hash function, then users with extremely strong passwords do not need to be as worried as typical users. (But most people over estimate password strength and their own cleverness.) After spending significant resources to crack 99% of the hashes it probably isn't worth it or practical to crack the last 1%. But strong passwords are no good if passwords aren't hashed.



        Developers should use a password stretching algorithm. These algorithms just try to make password hashing more expensive. (For both legitimate users and password crackers.) Argon2 is currently the best password stretching algorithm, especially on Intel/ARM CPUs. Argon2 specifically can go a very long way to reduce the fraction of hashes which will get cracked. (Weak passwords will still be crackable.)






        share|improve this answer




















        • 1





          "You hash a large number of passwords, then check if the output matches any of the stored hashes." Salting defeates this.

          – Taemyr
          Mar 19 at 6:51











        • @Taemyr It's not clear to me this means pre-computed hashes, though it could be a little clearer. Salting only makes dictionary attacks more computationally difficult, and pre-computation impossible.

          – Steve Sether
          Mar 19 at 17:16











        • @Taemyr Except if they have managed to compromise your systems enough to steal your database, they may also have managed to steal your salt.

          – Dijkgraaf
          Mar 19 at 18:03











        • I did not want to complicate things further by going into salting but at this point I may as well since the question got more traffic. Ideally I would state the same information in a simpler more organized format... The web tends to oversimplify the reason for using salts to "it's more secure" or "it's totally secure". They make the herd safer, but not the individual. Salts can be completely effective against "reversing" hashes using lookup tables. They don't do much at all to slow down targeted attacks. But anyone not using long random unique salts has made a massive mistake. Also, use Argon2

          – Future Security
          Mar 20 at 5:21















        19














        You hash a large number of potential passwords*, then check whether each output matches any hashes from the stolen password database. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.



        When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)



        * If salts are used, then the cracker must consider those too. If each account uses a unique salt then crackers can't simply target everyone by hashing every candidate password once. If multiple accounts are being targeted then the password you want to try has to be hashed one time for each salt. If password hashes are unsalted or all use the same salt it's a lot easier to do untargeted attacks; you would only need to hash a candidate password once to figure out the full list of users that had that password. Salts also render useless attempts to use precomputing of hashes to save cracking effort. Salts DO NOT reduce the number of hashes that need to be evaluated if only one account is being targeted. Those nuances aside, the basis of password cracking remains a guess and check process.




        Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)



        However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.



        If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.




        Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)



        The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)



        Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.




        There are other ways passwords can get stolen which don't stem from a copy of a database of password hashes getting leaked. Plaintext login information could be logged. (By observing unencrypted/decrypted network traffic, by hacking and rewriting server code, or utilizing client side bugs, for example.) Then that log can be exfiltrated.



        And of course some companies might not have been using secure password verification schemes in the first place or may leak the plaintext through a bug1,2.



        Despite the alternative explanations for some instances of mass password breaches, plaintext passwords recovery from password hashes is common and effective. It is not so effective, however, that 100% of the hashes in every large database leak will be recovered.



        If passwords are processed with a cryptographic hash function, then users with extremely strong passwords do not need to be as worried as typical users. (But most people over estimate password strength and their own cleverness.) After spending significant resources to crack 99% of the hashes it probably isn't worth it or practical to crack the last 1%. But strong passwords are no good if passwords aren't hashed.



        Developers should use a password stretching algorithm. These algorithms just try to make password hashing more expensive. (For both legitimate users and password crackers.) Argon2 is currently the best password stretching algorithm, especially on Intel/ARM CPUs. Argon2 specifically can go a very long way to reduce the fraction of hashes which will get cracked. (Weak passwords will still be crackable.)






        share|improve this answer




















        • 1





          "You hash a large number of passwords, then check if the output matches any of the stored hashes." Salting defeates this.

          – Taemyr
          Mar 19 at 6:51











        • @Taemyr It's not clear to me this means pre-computed hashes, though it could be a little clearer. Salting only makes dictionary attacks more computationally difficult, and pre-computation impossible.

          – Steve Sether
          Mar 19 at 17:16











        • @Taemyr Except if they have managed to compromise your systems enough to steal your database, they may also have managed to steal your salt.

          – Dijkgraaf
          Mar 19 at 18:03











        • I did not want to complicate things further by going into salting but at this point I may as well since the question got more traffic. Ideally I would state the same information in a simpler more organized format... The web tends to oversimplify the reason for using salts to "it's more secure" or "it's totally secure". They make the herd safer, but not the individual. Salts can be completely effective against "reversing" hashes using lookup tables. They don't do much at all to slow down targeted attacks. But anyone not using long random unique salts has made a massive mistake. Also, use Argon2

          – Future Security
          Mar 20 at 5:21













        19












        19








        19







        You hash a large number of potential passwords*, then check whether each output matches any hashes from the stolen password database. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.



        When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)



        * If salts are used, then the cracker must consider those too. If each account uses a unique salt then crackers can't simply target everyone by hashing every candidate password once. If multiple accounts are being targeted then the password you want to try has to be hashed one time for each salt. If password hashes are unsalted or all use the same salt it's a lot easier to do untargeted attacks; you would only need to hash a candidate password once to figure out the full list of users that had that password. Salts also render useless attempts to use precomputing of hashes to save cracking effort. Salts DO NOT reduce the number of hashes that need to be evaluated if only one account is being targeted. Those nuances aside, the basis of password cracking remains a guess and check process.




        Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)



        However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.



        If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.




        Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)



        The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)



        Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.




        There are other ways passwords can get stolen which don't stem from a copy of a database of password hashes getting leaked. Plaintext login information could be logged. (By observing unencrypted/decrypted network traffic, by hacking and rewriting server code, or utilizing client side bugs, for example.) Then that log can be exfiltrated.



        And of course some companies might not have been using secure password verification schemes in the first place or may leak the plaintext through a bug1,2.



        Despite the alternative explanations for some instances of mass password breaches, plaintext passwords recovery from password hashes is common and effective. It is not so effective, however, that 100% of the hashes in every large database leak will be recovered.



        If passwords are processed with a cryptographic hash function, then users with extremely strong passwords do not need to be as worried as typical users. (But most people over estimate password strength and their own cleverness.) After spending significant resources to crack 99% of the hashes it probably isn't worth it or practical to crack the last 1%. But strong passwords are no good if passwords aren't hashed.



        Developers should use a password stretching algorithm. These algorithms just try to make password hashing more expensive. (For both legitimate users and password crackers.) Argon2 is currently the best password stretching algorithm, especially on Intel/ARM CPUs. Argon2 specifically can go a very long way to reduce the fraction of hashes which will get cracked. (Weak passwords will still be crackable.)






        share|improve this answer















        You hash a large number of potential passwords*, then check whether each output matches any hashes from the stolen password database. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.



        When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)



        * If salts are used, then the cracker must consider those too. If each account uses a unique salt then crackers can't simply target everyone by hashing every candidate password once. If multiple accounts are being targeted then the password you want to try has to be hashed one time for each salt. If password hashes are unsalted or all use the same salt it's a lot easier to do untargeted attacks; you would only need to hash a candidate password once to figure out the full list of users that had that password. Salts also render useless attempts to use precomputing of hashes to save cracking effort. Salts DO NOT reduce the number of hashes that need to be evaluated if only one account is being targeted. Those nuances aside, the basis of password cracking remains a guess and check process.




        Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)



        However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.



        If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.




        Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)



        The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)



        Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.




        There are other ways passwords can get stolen which don't stem from a copy of a database of password hashes getting leaked. Plaintext login information could be logged. (By observing unencrypted/decrypted network traffic, by hacking and rewriting server code, or utilizing client side bugs, for example.) Then that log can be exfiltrated.



        And of course some companies might not have been using secure password verification schemes in the first place or may leak the plaintext through a bug1,2.



        Despite the alternative explanations for some instances of mass password breaches, plaintext passwords recovery from password hashes is common and effective. It is not so effective, however, that 100% of the hashes in every large database leak will be recovered.



        If passwords are processed with a cryptographic hash function, then users with extremely strong passwords do not need to be as worried as typical users. (But most people over estimate password strength and their own cleverness.) After spending significant resources to crack 99% of the hashes it probably isn't worth it or practical to crack the last 1%. But strong passwords are no good if passwords aren't hashed.



        Developers should use a password stretching algorithm. These algorithms just try to make password hashing more expensive. (For both legitimate users and password crackers.) Argon2 is currently the best password stretching algorithm, especially on Intel/ARM CPUs. Argon2 specifically can go a very long way to reduce the fraction of hashes which will get cracked. (Weak passwords will still be crackable.)







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Mar 20 at 5:39

























        answered Mar 16 at 21:52









        Future SecurityFuture Security

        1,101212




        1,101212







        • 1





          "You hash a large number of passwords, then check if the output matches any of the stored hashes." Salting defeates this.

          – Taemyr
          Mar 19 at 6:51











        • @Taemyr It's not clear to me this means pre-computed hashes, though it could be a little clearer. Salting only makes dictionary attacks more computationally difficult, and pre-computation impossible.

          – Steve Sether
          Mar 19 at 17:16











        • @Taemyr Except if they have managed to compromise your systems enough to steal your database, they may also have managed to steal your salt.

          – Dijkgraaf
          Mar 19 at 18:03











        • I did not want to complicate things further by going into salting but at this point I may as well since the question got more traffic. Ideally I would state the same information in a simpler more organized format... The web tends to oversimplify the reason for using salts to "it's more secure" or "it's totally secure". They make the herd safer, but not the individual. Salts can be completely effective against "reversing" hashes using lookup tables. They don't do much at all to slow down targeted attacks. But anyone not using long random unique salts has made a massive mistake. Also, use Argon2

          – Future Security
          Mar 20 at 5:21












        • 1





          "You hash a large number of passwords, then check if the output matches any of the stored hashes." Salting defeates this.

          – Taemyr
          Mar 19 at 6:51











        • @Taemyr It's not clear to me this means pre-computed hashes, though it could be a little clearer. Salting only makes dictionary attacks more computationally difficult, and pre-computation impossible.

          – Steve Sether
          Mar 19 at 17:16











        • @Taemyr Except if they have managed to compromise your systems enough to steal your database, they may also have managed to steal your salt.

          – Dijkgraaf
          Mar 19 at 18:03











        • I did not want to complicate things further by going into salting but at this point I may as well since the question got more traffic. Ideally I would state the same information in a simpler more organized format... The web tends to oversimplify the reason for using salts to "it's more secure" or "it's totally secure". They make the herd safer, but not the individual. Salts can be completely effective against "reversing" hashes using lookup tables. They don't do much at all to slow down targeted attacks. But anyone not using long random unique salts has made a massive mistake. Also, use Argon2

          – Future Security
          Mar 20 at 5:21







        1




        1





        "You hash a large number of passwords, then check if the output matches any of the stored hashes." Salting defeates this.

        – Taemyr
        Mar 19 at 6:51





        "You hash a large number of passwords, then check if the output matches any of the stored hashes." Salting defeates this.

        – Taemyr
        Mar 19 at 6:51













        @Taemyr It's not clear to me this means pre-computed hashes, though it could be a little clearer. Salting only makes dictionary attacks more computationally difficult, and pre-computation impossible.

        – Steve Sether
        Mar 19 at 17:16





        @Taemyr It's not clear to me this means pre-computed hashes, though it could be a little clearer. Salting only makes dictionary attacks more computationally difficult, and pre-computation impossible.

        – Steve Sether
        Mar 19 at 17:16













        @Taemyr Except if they have managed to compromise your systems enough to steal your database, they may also have managed to steal your salt.

        – Dijkgraaf
        Mar 19 at 18:03





        @Taemyr Except if they have managed to compromise your systems enough to steal your database, they may also have managed to steal your salt.

        – Dijkgraaf
        Mar 19 at 18:03













        I did not want to complicate things further by going into salting but at this point I may as well since the question got more traffic. Ideally I would state the same information in a simpler more organized format... The web tends to oversimplify the reason for using salts to "it's more secure" or "it's totally secure". They make the herd safer, but not the individual. Salts can be completely effective against "reversing" hashes using lookup tables. They don't do much at all to slow down targeted attacks. But anyone not using long random unique salts has made a massive mistake. Also, use Argon2

        – Future Security
        Mar 20 at 5:21





        I did not want to complicate things further by going into salting but at this point I may as well since the question got more traffic. Ideally I would state the same information in a simpler more organized format... The web tends to oversimplify the reason for using salts to "it's more secure" or "it's totally secure". They make the herd safer, but not the individual. Salts can be completely effective against "reversing" hashes using lookup tables. They don't do much at all to slow down targeted attacks. But anyone not using long random unique salts has made a massive mistake. Also, use Argon2

        – Future Security
        Mar 20 at 5:21











        17














        Many possibilities:



        1. Even though passwords should be hashed before storage, it's not always the case. Sadly, even today, there are still plenty of passwords stored as cleartext. Steal database, get all passwords.


        2. Passwords could be stored somewhere else. Passwords could be included in logs, for instance. Steal logs, get all passwords that were used in those logs.


        3. Passwords could be hashed but not salted. So you build a list of password -> hash combinations based on all sorts of passwords. You reverse this table so it becomes hash -> password (lookup table). Get database, convert hashes to passwords, get lots of passwords.


        4. Passwords are hashed and salted. But lots of users use very weak passwords (123456, password, letmein, qwerty...). Try lists of passwords against those hashes. Get database, make a dictionary attack on hashes, get lots of passwords.


        5. Variation on the previous one, instead of a pre-determined list of passwords, try passwords based on other information you have about the user (username, first name, last name, date of birth, e-mail...).


        6. Yet another variation, as many users re-use the same password: try passwords for the same e-mail/username recovered from other breaches.


        7. Yet another variation, when there is a strong password policy in place which requires changing passwords on a regular basis: if you have a previous password for the user, just try changing the final numbers: if user had password "joe12" at one point, try joe13, joe14, joe15... If you have the date the initial password was valid and know the password change interval, it can be quite quick.


        8. Passwords are hashed and salted, but use weak (fast) hashes. Same as #4-7, but you can do a lot more attempts a lot more quickly, so you can try a larger dictionary, or even try quite systematically all combinations (brute force attack).


        9. Communication between clients and servers are susceptible to man-in-the-middle (MITM) attacks. Passwords are captured on the way.


        10. You perform social engineering. "Hello, this is the IT department, there's an issue with your account, we need to reset something, can you give me your password"? You'd be amazed how often that works if properly framed.


        11. Mass social engineering, aka phishing: send a mass e-mail campaign asking to log into a site which will capture all those passwords.


        12. Hack into the site, and modify it so it sends all passwords received to a remote server (or logs them to a file you'll retrieve later).


        13. Ditto, but modify client-side code to do it. Could be as easy as a stored XSS hack.


        14. A variation on the above: keyloggers.


        There's probably quite a few more methods, but that gives you an idea of how easy it can be to recover tons of passwords.






        share|improve this answer

























        • Number 7 for me is just genious

          – gota
          Mar 19 at 17:15











        • This is by far the most complete and accurate answer.

          – Steve Sether
          Mar 19 at 17:18















        17














        Many possibilities:



        1. Even though passwords should be hashed before storage, it's not always the case. Sadly, even today, there are still plenty of passwords stored as cleartext. Steal database, get all passwords.


        2. Passwords could be stored somewhere else. Passwords could be included in logs, for instance. Steal logs, get all passwords that were used in those logs.


        3. Passwords could be hashed but not salted. So you build a list of password -> hash combinations based on all sorts of passwords. You reverse this table so it becomes hash -> password (lookup table). Get database, convert hashes to passwords, get lots of passwords.


        4. Passwords are hashed and salted. But lots of users use very weak passwords (123456, password, letmein, qwerty...). Try lists of passwords against those hashes. Get database, make a dictionary attack on hashes, get lots of passwords.


        5. Variation on the previous one, instead of a pre-determined list of passwords, try passwords based on other information you have about the user (username, first name, last name, date of birth, e-mail...).


        6. Yet another variation, as many users re-use the same password: try passwords for the same e-mail/username recovered from other breaches.


        7. Yet another variation, when there is a strong password policy in place which requires changing passwords on a regular basis: if you have a previous password for the user, just try changing the final numbers: if user had password "joe12" at one point, try joe13, joe14, joe15... If you have the date the initial password was valid and know the password change interval, it can be quite quick.


        8. Passwords are hashed and salted, but use weak (fast) hashes. Same as #4-7, but you can do a lot more attempts a lot more quickly, so you can try a larger dictionary, or even try quite systematically all combinations (brute force attack).


        9. Communication between clients and servers are susceptible to man-in-the-middle (MITM) attacks. Passwords are captured on the way.


        10. You perform social engineering. "Hello, this is the IT department, there's an issue with your account, we need to reset something, can you give me your password"? You'd be amazed how often that works if properly framed.


        11. Mass social engineering, aka phishing: send a mass e-mail campaign asking to log into a site which will capture all those passwords.


        12. Hack into the site, and modify it so it sends all passwords received to a remote server (or logs them to a file you'll retrieve later).


        13. Ditto, but modify client-side code to do it. Could be as easy as a stored XSS hack.


        14. A variation on the above: keyloggers.


        There's probably quite a few more methods, but that gives you an idea of how easy it can be to recover tons of passwords.






        share|improve this answer

























        • Number 7 for me is just genious

          – gota
          Mar 19 at 17:15











        • This is by far the most complete and accurate answer.

          – Steve Sether
          Mar 19 at 17:18













        17












        17








        17







        Many possibilities:



        1. Even though passwords should be hashed before storage, it's not always the case. Sadly, even today, there are still plenty of passwords stored as cleartext. Steal database, get all passwords.


        2. Passwords could be stored somewhere else. Passwords could be included in logs, for instance. Steal logs, get all passwords that were used in those logs.


        3. Passwords could be hashed but not salted. So you build a list of password -> hash combinations based on all sorts of passwords. You reverse this table so it becomes hash -> password (lookup table). Get database, convert hashes to passwords, get lots of passwords.


        4. Passwords are hashed and salted. But lots of users use very weak passwords (123456, password, letmein, qwerty...). Try lists of passwords against those hashes. Get database, make a dictionary attack on hashes, get lots of passwords.


        5. Variation on the previous one, instead of a pre-determined list of passwords, try passwords based on other information you have about the user (username, first name, last name, date of birth, e-mail...).


        6. Yet another variation, as many users re-use the same password: try passwords for the same e-mail/username recovered from other breaches.


        7. Yet another variation, when there is a strong password policy in place which requires changing passwords on a regular basis: if you have a previous password for the user, just try changing the final numbers: if user had password "joe12" at one point, try joe13, joe14, joe15... If you have the date the initial password was valid and know the password change interval, it can be quite quick.


        8. Passwords are hashed and salted, but use weak (fast) hashes. Same as #4-7, but you can do a lot more attempts a lot more quickly, so you can try a larger dictionary, or even try quite systematically all combinations (brute force attack).


        9. Communication between clients and servers are susceptible to man-in-the-middle (MITM) attacks. Passwords are captured on the way.


        10. You perform social engineering. "Hello, this is the IT department, there's an issue with your account, we need to reset something, can you give me your password"? You'd be amazed how often that works if properly framed.


        11. Mass social engineering, aka phishing: send a mass e-mail campaign asking to log into a site which will capture all those passwords.


        12. Hack into the site, and modify it so it sends all passwords received to a remote server (or logs them to a file you'll retrieve later).


        13. Ditto, but modify client-side code to do it. Could be as easy as a stored XSS hack.


        14. A variation on the above: keyloggers.


        There's probably quite a few more methods, but that gives you an idea of how easy it can be to recover tons of passwords.






        share|improve this answer















        Many possibilities:



        1. Even though passwords should be hashed before storage, it's not always the case. Sadly, even today, there are still plenty of passwords stored as cleartext. Steal database, get all passwords.


        2. Passwords could be stored somewhere else. Passwords could be included in logs, for instance. Steal logs, get all passwords that were used in those logs.


        3. Passwords could be hashed but not salted. So you build a list of password -> hash combinations based on all sorts of passwords. You reverse this table so it becomes hash -> password (lookup table). Get database, convert hashes to passwords, get lots of passwords.


        4. Passwords are hashed and salted. But lots of users use very weak passwords (123456, password, letmein, qwerty...). Try lists of passwords against those hashes. Get database, make a dictionary attack on hashes, get lots of passwords.


        5. Variation on the previous one, instead of a pre-determined list of passwords, try passwords based on other information you have about the user (username, first name, last name, date of birth, e-mail...).


        6. Yet another variation, as many users re-use the same password: try passwords for the same e-mail/username recovered from other breaches.


        7. Yet another variation, when there is a strong password policy in place which requires changing passwords on a regular basis: if you have a previous password for the user, just try changing the final numbers: if user had password "joe12" at one point, try joe13, joe14, joe15... If you have the date the initial password was valid and know the password change interval, it can be quite quick.


        8. Passwords are hashed and salted, but use weak (fast) hashes. Same as #4-7, but you can do a lot more attempts a lot more quickly, so you can try a larger dictionary, or even try quite systematically all combinations (brute force attack).


        9. Communication between clients and servers are susceptible to man-in-the-middle (MITM) attacks. Passwords are captured on the way.


        10. You perform social engineering. "Hello, this is the IT department, there's an issue with your account, we need to reset something, can you give me your password"? You'd be amazed how often that works if properly framed.


        11. Mass social engineering, aka phishing: send a mass e-mail campaign asking to log into a site which will capture all those passwords.


        12. Hack into the site, and modify it so it sends all passwords received to a remote server (or logs them to a file you'll retrieve later).


        13. Ditto, but modify client-side code to do it. Could be as easy as a stored XSS hack.


        14. A variation on the above: keyloggers.


        There's probably quite a few more methods, but that gives you an idea of how easy it can be to recover tons of passwords.







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Mar 19 at 12:33

























        answered Mar 18 at 14:22









        jcaronjcaron

        905413




        905413












        • Number 7 for me is just genious

          – gota
          Mar 19 at 17:15











        • This is by far the most complete and accurate answer.

          – Steve Sether
          Mar 19 at 17:18

















        • Number 7 for me is just genious

          – gota
          Mar 19 at 17:15











        • This is by far the most complete and accurate answer.

          – Steve Sether
          Mar 19 at 17:18
















        Number 7 for me is just genious

        – gota
        Mar 19 at 17:15





        Number 7 for me is just genious

        – gota
        Mar 19 at 17:15













        This is by far the most complete and accurate answer.

        – Steve Sether
        Mar 19 at 17:18





        This is by far the most complete and accurate answer.

        – Steve Sether
        Mar 19 at 17:18











        6














        As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.



        If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).



        In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in any way secure.



        Let's say a company has 1000 customer passwords, all of which are hashed.



        Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.



        "5 minutes?! But they were hashed!"....



        Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.



        Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:



        Password: Security



        MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45



        I then just run some favorable hacking tools against those hashes to "crack" them.



        Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead, research the stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.



        The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).






        share|improve this answer




















        • 12





          Just to note that with a weak password like 'Security', you don't even need a cracking tool, you can just Google 2FAE32629D4EF4FC6341F1751B405E45

          – richardb
          Mar 17 at 15:15






        • 3





          And even more so, now that this article is indexed!

          – Mark K Cowan
          Mar 18 at 17:47











        • Just as a note: While MD5 should not be used at all in preference to newer algorithms like SHA2 or SHA3, for password hashing those are almost equally bad, just because they are too fast. Use an iterated hash like PBKDF2, bcrypt or scrypt with suitable security parameters instead.

          – Paŭlo Ebermann
          2 days ago















        6














        As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.



        If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).



        In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in any way secure.



        Let's say a company has 1000 customer passwords, all of which are hashed.



        Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.



        "5 minutes?! But they were hashed!"....



        Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.



        Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:



        Password: Security



        MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45



        I then just run some favorable hacking tools against those hashes to "crack" them.



        Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead, research the stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.



        The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).






        share|improve this answer




















        • 12





          Just to note that with a weak password like 'Security', you don't even need a cracking tool, you can just Google 2FAE32629D4EF4FC6341F1751B405E45

          – richardb
          Mar 17 at 15:15






        • 3





          And even more so, now that this article is indexed!

          – Mark K Cowan
          Mar 18 at 17:47











        • Just as a note: While MD5 should not be used at all in preference to newer algorithms like SHA2 or SHA3, for password hashing those are almost equally bad, just because they are too fast. Use an iterated hash like PBKDF2, bcrypt or scrypt with suitable security parameters instead.

          – Paŭlo Ebermann
          2 days ago













        6












        6








        6







        As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.



        If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).



        In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in any way secure.



        Let's say a company has 1000 customer passwords, all of which are hashed.



        Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.



        "5 minutes?! But they were hashed!"....



        Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.



        Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:



        Password: Security



        MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45



        I then just run some favorable hacking tools against those hashes to "crack" them.



        Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead, research the stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.



        The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).






        share|improve this answer















        As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.



        If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).



        In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in any way secure.



        Let's say a company has 1000 customer passwords, all of which are hashed.



        Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.



        "5 minutes?! But they were hashed!"....



        Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.



        Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:



        Password: Security



        MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45



        I then just run some favorable hacking tools against those hashes to "crack" them.



        Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead, research the stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.



        The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).







        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Mar 17 at 10:27









        schroeder

        78k30173209




        78k30173209










        answered Mar 16 at 21:21









        Tipping44Tipping44

        1572




        1572







        • 12





          Just to note that with a weak password like 'Security', you don't even need a cracking tool, you can just Google 2FAE32629D4EF4FC6341F1751B405E45

          – richardb
          Mar 17 at 15:15






        • 3





          And even more so, now that this article is indexed!

          – Mark K Cowan
          Mar 18 at 17:47











        • Just as a note: While MD5 should not be used at all in preference to newer algorithms like SHA2 or SHA3, for password hashing those are almost equally bad, just because they are too fast. Use an iterated hash like PBKDF2, bcrypt or scrypt with suitable security parameters instead.

          – Paŭlo Ebermann
          2 days ago












        • 12





          Just to note that with a weak password like 'Security', you don't even need a cracking tool, you can just Google 2FAE32629D4EF4FC6341F1751B405E45

          – richardb
          Mar 17 at 15:15






        • 3





          And even more so, now that this article is indexed!

          – Mark K Cowan
          Mar 18 at 17:47











        • Just as a note: While MD5 should not be used at all in preference to newer algorithms like SHA2 or SHA3, for password hashing those are almost equally bad, just because they are too fast. Use an iterated hash like PBKDF2, bcrypt or scrypt with suitable security parameters instead.

          – Paŭlo Ebermann
          2 days ago







        12




        12





        Just to note that with a weak password like 'Security', you don't even need a cracking tool, you can just Google 2FAE32629D4EF4FC6341F1751B405E45

        – richardb
        Mar 17 at 15:15





        Just to note that with a weak password like 'Security', you don't even need a cracking tool, you can just Google 2FAE32629D4EF4FC6341F1751B405E45

        – richardb
        Mar 17 at 15:15




        3




        3





        And even more so, now that this article is indexed!

        – Mark K Cowan
        Mar 18 at 17:47





        And even more so, now that this article is indexed!

        – Mark K Cowan
        Mar 18 at 17:47













        Just as a note: While MD5 should not be used at all in preference to newer algorithms like SHA2 or SHA3, for password hashing those are almost equally bad, just because they are too fast. Use an iterated hash like PBKDF2, bcrypt or scrypt with suitable security parameters instead.

        – Paŭlo Ebermann
        2 days ago





        Just as a note: While MD5 should not be used at all in preference to newer algorithms like SHA2 or SHA3, for password hashing those are almost equally bad, just because they are too fast. Use an iterated hash like PBKDF2, bcrypt or scrypt with suitable security parameters instead.

        – Paŭlo Ebermann
        2 days ago











        0














        One particularly important point is that when the password database is secure and only accessible to the legitimate service, someone trying to access an account can only try them out individually via the legitimate service. Repeated failed attempts can be noticed, an automated alert provided, and appropriate action taken to limit further login attempts from the same source.



        Once the password database is stolen, and details of the hashing algorithm are known, the person(s) in possession of the stolen password database can try millions or billions of passwords against their copy of the database without causing any further alert to anyone, and when they've found one that works on their offline copy, only then do they attempt to access the legitimate service impersonating one of the users of that service (maybe you!).



        A significant proportion of users have passwords that are likely to be in the first billion that an attacker would try, so it's only a matter of a relatively short amount of time before the attacker can access a significant proportion of accounts.



        Those users who really do have strong passwords, should be able to safely ignore a compromise where only hashed passwords were leaked, but many users do not in fact have sufficiently strong passwords to resist this kind of offline attack, merely ones that seem strong enough to the sites automated password strength checker, which is normally more concerned about ensuring accounts are sufficiently strong to resist online attacks against the legitimate service.






        share|improve this answer








        New contributor




        Steve is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.
























          0














          One particularly important point is that when the password database is secure and only accessible to the legitimate service, someone trying to access an account can only try them out individually via the legitimate service. Repeated failed attempts can be noticed, an automated alert provided, and appropriate action taken to limit further login attempts from the same source.



          Once the password database is stolen, and details of the hashing algorithm are known, the person(s) in possession of the stolen password database can try millions or billions of passwords against their copy of the database without causing any further alert to anyone, and when they've found one that works on their offline copy, only then do they attempt to access the legitimate service impersonating one of the users of that service (maybe you!).



          A significant proportion of users have passwords that are likely to be in the first billion that an attacker would try, so it's only a matter of a relatively short amount of time before the attacker can access a significant proportion of accounts.



          Those users who really do have strong passwords, should be able to safely ignore a compromise where only hashed passwords were leaked, but many users do not in fact have sufficiently strong passwords to resist this kind of offline attack, merely ones that seem strong enough to the sites automated password strength checker, which is normally more concerned about ensuring accounts are sufficiently strong to resist online attacks against the legitimate service.






          share|improve this answer








          New contributor




          Steve is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
          Check out our Code of Conduct.






















            0












            0








            0







            One particularly important point is that when the password database is secure and only accessible to the legitimate service, someone trying to access an account can only try them out individually via the legitimate service. Repeated failed attempts can be noticed, an automated alert provided, and appropriate action taken to limit further login attempts from the same source.



            Once the password database is stolen, and details of the hashing algorithm are known, the person(s) in possession of the stolen password database can try millions or billions of passwords against their copy of the database without causing any further alert to anyone, and when they've found one that works on their offline copy, only then do they attempt to access the legitimate service impersonating one of the users of that service (maybe you!).



            A significant proportion of users have passwords that are likely to be in the first billion that an attacker would try, so it's only a matter of a relatively short amount of time before the attacker can access a significant proportion of accounts.



            Those users who really do have strong passwords, should be able to safely ignore a compromise where only hashed passwords were leaked, but many users do not in fact have sufficiently strong passwords to resist this kind of offline attack, merely ones that seem strong enough to the sites automated password strength checker, which is normally more concerned about ensuring accounts are sufficiently strong to resist online attacks against the legitimate service.






            share|improve this answer








            New contributor




            Steve is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.










            One particularly important point is that when the password database is secure and only accessible to the legitimate service, someone trying to access an account can only try them out individually via the legitimate service. Repeated failed attempts can be noticed, an automated alert provided, and appropriate action taken to limit further login attempts from the same source.



            Once the password database is stolen, and details of the hashing algorithm are known, the person(s) in possession of the stolen password database can try millions or billions of passwords against their copy of the database without causing any further alert to anyone, and when they've found one that works on their offline copy, only then do they attempt to access the legitimate service impersonating one of the users of that service (maybe you!).



            A significant proportion of users have passwords that are likely to be in the first billion that an attacker would try, so it's only a matter of a relatively short amount of time before the attacker can access a significant proportion of accounts.



            Those users who really do have strong passwords, should be able to safely ignore a compromise where only hashed passwords were leaked, but many users do not in fact have sufficiently strong passwords to resist this kind of offline attack, merely ones that seem strong enough to the sites automated password strength checker, which is normally more concerned about ensuring accounts are sufficiently strong to resist online attacks against the legitimate service.







            share|improve this answer








            New contributor




            Steve is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            share|improve this answer



            share|improve this answer






            New contributor




            Steve is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.









            answered Mar 19 at 16:33









            SteveSteve

            101




            101




            New contributor




            Steve is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





            New contributor





            Steve is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.






            Steve is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
            Check out our Code of Conduct.





















                -1














                Also take the following attack vector into consideration for web applications:



                If the attacker can modify the frontend code, then with a small script the plaintext passwords could be "sniffed" for a while.



                If the script can be injected from the backend, then it could be set to only show for visitors from certain countries to better protect against malicious frontend code change detection automations in place running in the same country where the application is being run from.






                share|improve this answer



























                  -1














                  Also take the following attack vector into consideration for web applications:



                  If the attacker can modify the frontend code, then with a small script the plaintext passwords could be "sniffed" for a while.



                  If the script can be injected from the backend, then it could be set to only show for visitors from certain countries to better protect against malicious frontend code change detection automations in place running in the same country where the application is being run from.






                  share|improve this answer

























                    -1












                    -1








                    -1







                    Also take the following attack vector into consideration for web applications:



                    If the attacker can modify the frontend code, then with a small script the plaintext passwords could be "sniffed" for a while.



                    If the script can be injected from the backend, then it could be set to only show for visitors from certain countries to better protect against malicious frontend code change detection automations in place running in the same country where the application is being run from.






                    share|improve this answer













                    Also take the following attack vector into consideration for web applications:



                    If the attacker can modify the frontend code, then with a small script the plaintext passwords could be "sniffed" for a while.



                    If the script can be injected from the backend, then it could be set to only show for visitors from certain countries to better protect against malicious frontend code change detection automations in place running in the same country where the application is being run from.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Mar 17 at 10:55









                    SevronSevron

                    1356




                    1356





















                        -2














                        While storing passwords in hashed form is desirable, it can also pose some difficulties. If it is necessary for one entity to issue a request to another entity on behalf of a user, and the second entity requires submission of plaintext passwords for validation, the first entity will need to hold the user's password in a form that would be convertible to plaintext.



                        To allow for this, companies may store passwords in various kinds of hardware security modules which audit all attempts to retrieve passwords from them. This approach mitigates many of the dangers involved with plaintext password storage. It can't mitigate all of the dangers, but if an entity is supposed to have authority to access an outside entity on behalf of a user, and the outside entity won't accept anything other than the user's password as evidence of that authority, some of the dangers associated with plain-text passwords will be inescapable no matter what the first entity tries to do.






                        share|improve this answer



























                          -2














                          While storing passwords in hashed form is desirable, it can also pose some difficulties. If it is necessary for one entity to issue a request to another entity on behalf of a user, and the second entity requires submission of plaintext passwords for validation, the first entity will need to hold the user's password in a form that would be convertible to plaintext.



                          To allow for this, companies may store passwords in various kinds of hardware security modules which audit all attempts to retrieve passwords from them. This approach mitigates many of the dangers involved with plaintext password storage. It can't mitigate all of the dangers, but if an entity is supposed to have authority to access an outside entity on behalf of a user, and the outside entity won't accept anything other than the user's password as evidence of that authority, some of the dangers associated with plain-text passwords will be inescapable no matter what the first entity tries to do.






                          share|improve this answer

























                            -2












                            -2








                            -2







                            While storing passwords in hashed form is desirable, it can also pose some difficulties. If it is necessary for one entity to issue a request to another entity on behalf of a user, and the second entity requires submission of plaintext passwords for validation, the first entity will need to hold the user's password in a form that would be convertible to plaintext.



                            To allow for this, companies may store passwords in various kinds of hardware security modules which audit all attempts to retrieve passwords from them. This approach mitigates many of the dangers involved with plaintext password storage. It can't mitigate all of the dangers, but if an entity is supposed to have authority to access an outside entity on behalf of a user, and the outside entity won't accept anything other than the user's password as evidence of that authority, some of the dangers associated with plain-text passwords will be inescapable no matter what the first entity tries to do.






                            share|improve this answer













                            While storing passwords in hashed form is desirable, it can also pose some difficulties. If it is necessary for one entity to issue a request to another entity on behalf of a user, and the second entity requires submission of plaintext passwords for validation, the first entity will need to hold the user's password in a form that would be convertible to plaintext.



                            To allow for this, companies may store passwords in various kinds of hardware security modules which audit all attempts to retrieve passwords from them. This approach mitigates many of the dangers involved with plaintext password storage. It can't mitigate all of the dangers, but if an entity is supposed to have authority to access an outside entity on behalf of a user, and the outside entity won't accept anything other than the user's password as evidence of that authority, some of the dangers associated with plain-text passwords will be inescapable no matter what the first entity tries to do.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Mar 18 at 20:31









                            supercatsupercat

                            1,75079




                            1,75079



























                                draft saved

                                draft discarded
















































                                Thanks for contributing an answer to Information Security Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid


                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.

                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205519%2fhow-are-passwords-stolen-from-companies-if-they-only-store-hashes%23new-answer', 'question_page');

                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                How should I support this large drywall patch? Planned maintenance scheduled April 23, 2019 at 00:00UTC (8:00pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?How do I cover large gaps in drywall?How do I keep drywall around a patch from crumbling?Can I glue a second layer of drywall?How to patch long strip on drywall?Large drywall patch: how to avoid bulging seams?Drywall Mesh Patch vs. Bulge? To remove or not to remove?How to fix this drywall job?Prep drywall before backsplashWhat's the best way to fix this horrible drywall patch job?Drywall patching using 3M Patch Plus Primer

                                random experiment with two different functions on unit interval Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 23, 2019 at 00:00UTC (8:00pm US/Eastern)Random variable and probability space notionsRandom Walk with EdgesFinding functions where the increase over a random interval is Poisson distributedNumber of days until dayCan an observed event in fact be of zero probability?Unit random processmodels of coins and uniform distributionHow to get the number of successes given $n$ trials , probability $P$ and a random variable $X$Absorbing Markov chain in a computer. Is “almost every” turned into always convergence in computer executions?Stopped random walk is not uniformly integrable

                                Lowndes Grove History Architecture References Navigation menu32°48′6″N 79°57′58″W / 32.80167°N 79.96611°W / 32.80167; -79.9661132°48′6″N 79°57′58″W / 32.80167°N 79.96611°W / 32.80167; -79.9661178002500"National Register Information System"Historic houses of South Carolina"Lowndes Grove""+32° 48' 6.00", −79° 57' 58.00""Lowndes Grove, Charleston County (260 St. Margaret St., Charleston)""Lowndes Grove"The Charleston ExpositionIt Happened in South Carolina"Lowndes Grove (House), Saint Margaret Street & Sixth Avenue, Charleston, Charleston County, SC(Photographs)"Plantations of the Carolina Low Countrye