|
|
|
|
|
|
by joedaltonwallas
5700 days ago
|
|
|
Why people are so frightend of storing the salt & hash of the user password? May be I am mistaken but if the salt is unique for each hash it is almost imposible to recover the original password. Of course you must use a well proven encription library but it is trivial. Am I missing something? |
|
|
* For "moderately" strong passwords (say, ones which need 10,000 attempts to get), getting at your encrypted files means the difference between you being able to throttle-and-disable a serial guesser and having the password hacked (bonus points if that was the password your user uses on other sites with the same usernames.) * An attacker can go over the file to find "extremely" easy password for some user. * A determined attacker can test hundreds of millions of passwords for a specific user, and know when he succeeded, before you ever notice it. So unless your website has a "change password every year" policy, the attacker can breach even "moderately strong" passwords.
This is even before issues like "well proven encryption libraries" are still broken, and if the one you used is broken, your file is still out there.
This doesn't mean that it cannot be done, with enough care -- but it does mean that if you avoid doing it, it's a big relief, and a big potential crisis averted.