Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Weak password hashing algorithm #47

Open
Markkaz opened this issue Jul 13, 2021 · 0 comments
Open

Weak password hashing algorithm #47

Markkaz opened this issue Jul 13, 2021 · 0 comments
Assignees

Comments

@Markkaz
Copy link
Owner

Markkaz commented Jul 13, 2021

The old code used the PASSWORD function from MySQL. This function is now deprecated.
To make the tests pass and the code working again, I replaced everything with SHA256.
While this is better than nothing, it is still weak from security perspective because of the following reasons:

  1. Every user that uses the same password will have the same hash. When an attacker can crack one of these passwords, they will know the password for all users with the same password
  2. There are rainbow tables (lists of hashes and their value) available for weak passwords. An attacker can use these to crack at least the most common passwords
  3. An attacker with enough GPU power can use an offline attack to bruteforce password hashes. Eventhough SHA256 is a good hashing algorithm, it will still be quick enough to crack any password under 8 characters.

The solution that we need is:

  1. A better hashing algorithm that is slower to crack offline. For example bcrypt. Bcrypt will allow us to set an amount of time the hashing algorithm is repeated. When better GPUs come out and cracking becomes easier, we just increase the amount of times the hashing algorithm runs, to slow down an attacker doing bruteforce.
  2. A unique salt per user. Which will make sure that every hash will be unique even if multiple users have the same password. And it will also make sure that small passwords will be long enough to make sure they aren't part of rainbow table.
@Markkaz Markkaz self-assigned this Jul 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant