How does salting protect against an attacker with access to your password hashes?
https://stackoverflow.com/questions/9542764
-
04-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianDomanda
I've read a fair few questions on password salting and mostly they cover the stuff that (I think) I already understand. That is; the point of including a random salt in your password hashes is firstly to prevent two hashes being the same even when the password is the same. And secondly to thwart rainbow table attacks that match hashes against a precompiled list (because none of the precompiled hashes used the salts you have used, so a new rainbow table would need to be generated for each salt/hash). Feel free to correct me if I've misunderstood any of that.
Now my question: If an attacker has access to your hashes (the scenario we're protecting against) then that means they're accessing your database. That being the case surely it doesn't matter what the hash is, they can just replace it with whatever they want?
Soluzione
Read access to a database does not imply write access to the database.
So yes, if an attacker can update the password hash to a known hashed password + salt, then the attacker can gain access to a specific account. But dumps of password hashes can come from places other than direct database access.
Altri suggerimenti
It all depends on the account's permission. If a read only account was hacked, they can only read, but if a higher account got hacked, well, the attacker has higher permissions the farther up the ladder it goes.
