You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The old code used the PASSWORD function from MySQL. This function is now deprecated.
To make the tests pass and the code working again, I replaced everything with SHA256.
While this is better than nothing, it is still weak from security perspective because of the following reasons:
Every user that uses the same password will have the same hash. When an attacker can crack one of these passwords, they will know the password for all users with the same password
There are rainbow tables (lists of hashes and their value) available for weak passwords. An attacker can use these to crack at least the most common passwords
An attacker with enough GPU power can use an offline attack to bruteforce password hashes. Eventhough SHA256 is a good hashing algorithm, it will still be quick enough to crack any password under 8 characters.
The solution that we need is:
A better hashing algorithm that is slower to crack offline. For example bcrypt. Bcrypt will allow us to set an amount of time the hashing algorithm is repeated. When better GPUs come out and cracking becomes easier, we just increase the amount of times the hashing algorithm runs, to slow down an attacker doing bruteforce.
A unique salt per user. Which will make sure that every hash will be unique even if multiple users have the same password. And it will also make sure that small passwords will be long enough to make sure they aren't part of rainbow table.
The text was updated successfully, but these errors were encountered:
The old code used the PASSWORD function from MySQL. This function is now deprecated.
To make the tests pass and the code working again, I replaced everything with SHA256.
While this is better than nothing, it is still weak from security perspective because of the following reasons:
The solution that we need is:
The text was updated successfully, but these errors were encountered: