...it might sound reasonable, but it doesn't mean it's right 😉 The whole point of adding a salt is to prevent dictionary attacks by adding something unique to every hashed password. In other words, even if two people have the same password, the hashed value will be completely different because of the added salt. I would really encourage you to read the article I attached and/or do some Googling, it's all explained elsewhere far better than I could manage here.
Tim.
________________________________
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> on behalf of Rob Berendt <rob@xxxxxxxxx>
Sent: 18 March 2021 13:34
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: RE: How to validate passwords without storing them anywhere.
To me this sounds like a reasonable reply.
Rob Berendt
--
IBM Certified System Administrator - IBM i 6.1
Group Dekko
Dept 1600
Mail to: 7310 Innovation Blvd, Suite 104
Ft. Wayne, IN 46818
Ship to: 7310 Innovation Blvd, Dock 9C
Ft. Wayne, IN 46818
http://www.dekko.com
-----Original Message-----
From: MIDRANGE-L <midrange-l-bounces@xxxxxxxxxxxxxxxxxx> On Behalf Of Patrik Schindler
Sent: Thursday, March 18, 2021 9:28 AM
To: Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxxxxxxxx>
Subject: Re: How to validate passwords without storing them anywhere.
CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Hello Rob,
Am 18.03.2021 um 14:06 schrieb Rob Berendt <rob@xxxxxxxxx>:
But again, if you're using a known approved encryption, like bcrypt, and someone downloads the database, can't they just brute force it by hammering on bcrypt the same as brute force it by hammering on the sql function?
Yes, of course. Weak passwords from users stay weak passwords. Dictionary attacks are still possible: Trying out a large list of words and popular password strings (like the famous 12345) isn't hard.
Hashing instead of encryption prevents to recalculate the password from the string stored in the database, nothing more.
:wq! PoC
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit:
https://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at
https://archive.midrange.com/midrange-l.
Please contact support@xxxxxxxxxxxxxxxxxxxx for any subscription related questions.
Help support midrange.com by shopping at amazon.com with our affiliate link:
https://amazon.midrange.com
midrange.com
