IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [hash]

A hash algorithm is a function which takes a variable size input and produces a fixed size output. The algorithm tries to make it difficult to predict the output for a given input, find two inputs with the same output, or reconstruct the input from the output.

2201 questions
926
votes
11 answers

How to securely hash passwords?

If I hash passwords before storing them in my database, is that sufficient to prevent them being recovered by anyone? I should point out that this relates only to retrieval directly from the database, and not any other type of attack, such as…
AviD
  • 72,138
  • 22
  • 136
  • 218
658
votes
4 answers

Do any security experts recommend bcrypt for password storage?

On the surface bcrypt, an 11 year old security algorithm designed for hashing passwords by Niels Provos and David Mazieres, which is based on the initialization function used in the NIST approved blowfish algorithm seems almost too good to be true.…
Sam Saffron
  • 6,665
  • 3
  • 14
  • 11
599
votes
7 answers

How to store salt?

If you expect to store user password securely, you need to do at least the following: $pwd=hash(hash($password) + salt) Then, you store $pwd in your system instead of the real password. I have seen some cases where $pwd contains the salt itself. I…
George
  • 6,177
  • 3
  • 14
  • 10
543
votes
11 answers

Is my developer's home-brew password security right or wrong, and why?

A developer, let's call him 'Dave', insists on using home-brew scripts for password security. See Dave's proposal below. His team spent months adopting an industry standard protocol using Bcrypt. The software and methods in that protocol are not…
nallenscott
  • 4,699
  • 3
  • 12
  • 8
265
votes
7 answers

Password Hashing: add salt + pepper or is salt enough?

Please Note: I'm aware that the proper method for secure password storage hashing is either scrypt or bcrypt. This question isn't for implementation in actual software, it's for my own understanding. Related How to apply a pepper correctly to…
Jacco
  • 7,402
  • 4
  • 32
  • 53
256
votes
8 answers

Why are salted hashes more secure for password storage?

I know there are many discussions on salted hashes, and I understand that the purpose is to make it impossible to build a rainbow table of all possible hashes (generally up to 7 characters). My understanding is that the random salted values are…
Tsyras
  • 2,631
  • 3
  • 11
  • 7
255
votes
12 answers

Why are hash functions one way? If I know the algorithm, why can't I calculate the input from it?

Why can't a password hash be reverse engineered? I've looked into this ages ago and have read lots on it, but I can't find the explanation of why it can't be done. An example will make it easier to understand my question and to keep things simple we…
Mucker
  • 2,667
  • 3
  • 13
  • 3
225
votes
4 answers

Recommended # of iterations when using PBKDF2-SHA256?

I'm curious if anyone has any advice or points of reference when it comes to determining how many iterations is 'good enough' when using PBKDF2 (specifically with SHA-256). Certainly, 'good enough' is subjective and hard to define, varies by…
Tails
  • 2,438
  • 3
  • 14
  • 10
190
votes
6 answers

Does Facebook store plain-text passwords?

I was about to reset my Facebook password and got this error: Your new password is too similar to your current password. Please try another password. I assumed that Facebook stores only password hashes, but if so, how can they measure passwords…
Michał Šrajer
  • 4,154
  • 4
  • 18
  • 21
178
votes
18 answers

What is a good analogy to explain to a layman why passwords should be hashed?

Note: This is not an actual situation I'm currently in. Assume your boss is one of those old-fashioned computer-illiterate managers and wants to store the passwords in plaintext to simplify development. You get 5 minutes to explain the point of…
Nzall
  • 7,313
  • 6
  • 29
  • 45
165
votes
3 answers

What are rainbow tables and how are they used?

Where can I find one? Is there a pot of gold at the end? How do I protect against them? From the Area51 proposal This question was IT Security Question of the Week. Read the Sep 09, 2011 blog entry for more details or submit your own Question of…
AviD
  • 72,138
  • 22
  • 136
  • 218
155
votes
12 answers

https security - should password be hashed server-side or client-side?

I am building a web application which requires users to login. All communication goes through https. I am using bcrypt to hash passwords. I am facing a dilemma - I used to think it is safer to make a password hash client-side (using JavaScript) and…
johndodo
  • 1,785
  • 2
  • 12
  • 9
106
votes
5 answers

Is sending password to user email secure?

How secure is sending passwords through email to a user, since email isn't secured by HTTPS. What is the best way to secure it? Should i use encryption?
user310291
  • 1,413
  • 2
  • 12
  • 13
104
votes
12 answers

Why is client-side hashing of a password so uncommon?

There are very few websites that hash the users password before submitting it to the server. Javascript doesn't even have support for SHA or other algorithms. But I can think of quite a few advantages, like protection against cross-site leaks or…
Maestro
  • 1,153
  • 2
  • 8
  • 8
104
votes
7 answers

Is MD5 considered insecure?

After all these articles circulating online about md5 exploits, I am considering switching to another hash algorithm. As far as I know it's always been the algorithm of choice among numerous DBAs. Is it that much of a benefit to use MD5 instead of…
Tawfik Khalifeh
  • 2,532
  • 6
  • 22
  • 27
1
2 3
99 100