3

In this report on the recent ParkMobile breach, the article has this comment from the company:

“You are correct that bcrypt hashed and salted passwords were obtained,” Perkins said when asked about the screenshot in the database sales thread. “Note, we do not keep the salt values in our system,” he said.

If the salts are not "in the system", how could a system match a user-entered password to their salted hashes?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Joshua Frank
  • 207
  • 1
  • 6
  • 2
    This is better to be asked in information security. Delete this before asking there. Simple reasons 1) derived from users information 2) They don't use. – kelalaka Apr 30 '21 at 11:59
  • Or 3) they keep the salts off-device (and retrieve them only when needed) – poncho Apr 30 '21 at 13:24
  • @kelalaka: If (1), does it just rely on the attacker knowing what derivation is being used. (2) doesn't seem likely, since they quote specifically says "salted passwords" – Joshua Frank Apr 30 '21 at 14:43
  • @poncho: You'd need the salt for every login, so how could you keep them off-device? – Joshua Frank Apr 30 '21 at 14:44
  • 1
    I noticed in the comments following the article that there seems to be a rollicking discussion about this. One of the commenters by the name of 'Rob', pretty much sums it up, by saying, `“it stores the output of a fairly robust one-way password hashing algorithm called bcrypt”; “Note, we do not keep the salt values in our system”; Pick one. The bcrypt hash includes the salt.` – mti2935 Apr 30 '21 at 14:51
  • @mti2935: how can the hash include the salt? If you could reconstruct the salt from the hash, then wouldn't that defeat the purpose of salting? – Joshua Frank Apr 30 '21 at 14:54
  • What he means is that normally the hash + salt is stored in the account database. See https://security.stackexchange.com/questions/17421/how-to-store-salt – mti2935 Apr 30 '21 at 15:02
  • @mti2935:But does he mean that the ParkMobile guy is lying, or else that their passwords aren't really salted? – Joshua Frank Apr 30 '21 at 15:11
  • My guess is as good as yours. It's hard to reconcile that they use bcrypt to salt+hash passwords, without storing the salt. It's possible that both statements could be true if they cooked up some kind of 'roll your own' solution - e.g. the salt is the hash of the license plate number + some hardcoded pepper, This would create a unique salt for each user, and the salt would not be included in the account table. But, it's weird, it's untested, and it violates the first law of cryptography, 'don't roll your own crypto'. – mti2935 Apr 30 '21 at 15:37
  • The riddle is in the word 'system' – elsadek Apr 30 '21 at 18:03
  • @Joshua Frank - My guess would be that the *ParkMobile Guy* doesn't actually know and is just a media interface. – user10216038 Apr 30 '21 at 22:46

1 Answers1

9

In this report on the recent ParkMobile breach, the article has this comment from the company: “You are correct that bcrypt hashed and salted passwords were obtained... Note, we do not keep the salt values in our system...”

The article states that "spokesman" Jeff Perkins made this comment.

Per ParkMobile's website, Mr. Perkins's title is "Chief Marketing and Product Officer."

With all due respect to the marketing folks, Mr. Perkin's may not be completely up to speed on all the technical details of ParkMobile's password hashing, and may not be speaking with perfect precision. Therefore, one answer to your question might simply be that his statement is not technically correct.

If the salts are not "in the system", how could a system match a user-entered password to their salted hashes?

This is a reasonable question to ask, since typically one stores the salts along with the hashes for bcrypt. That is, typically, the format of the stored bcrypt output is:

$2b$[cost]$[22 character salt][31 character hash]

Therefore, typically, the salt would be stored in the same database as the hash.

Without seeing the actual data from the data breach it is hard to say for sure what is going on here.

One answer is just that Mr. Perkins is wrong. However, there are certainly other possibilities, such as:

  • By "salt" he actually means "pepper."
  • They separate the bcrypt outputs (for example at the "$" characters) and actually do store the hash in a different database than the salt. In this case they still need to store the salt, and maybe the "system" in the quote is the hash database rather than the salt database. Note that this possibility is complete speculation (and atypical bcrypt usage).
hft
  • 4,910
  • 17
  • 32