0

I found Django uses the format <algorithm>$<iterations>$<salt>$<hash> to store the hashed password

Assuming some one has the access to database.

From the above format one knows the salt, algorithm and iterations. So will it be difficult to find the password from either brute force attack or rainbow tables

Santhosh
  • 9,965
  • 20
  • 103
  • 243
  • 1
    No, if in this case the password is weak, it will be easy to figure it using the algorithms you mention. But that's not the (main) point. The main point is that the brute force attack against one password doesn't work for the next password in your database. You have to brute-force them one by one. That gains you time to warn your users in case of a data breach. – dirkgroten Feb 04 '20 at 14:08
  • I think that the main reason. Why they avoid having a common secret which is not accessible in the database. Only one who have access to source code can do it. – Santhosh Feb 04 '20 at 14:11
  • That's the idea of salting and multiple iterations, with salting you prevent same passwords to be stored in the same way and with iterations like 10.000 or more you make it really expensive to attempt to brute force. – Bernardo Duarte Feb 04 '20 at 14:12
  • Ok same secret key means - once can figure out some passwords are same. – Santhosh Feb 04 '20 at 14:13
  • 2
    By the way a rainbow/lookup table is a table of pre-hashed passwords. Actually those tables don't work anymore when you salt your passwords, because they would need to include the salt in advance. So really, salting, makes only a brute-force or dictionary attack possible and removes the option of using rainbow lookups (as long as you don't re-use the salt!!!!). It also makes each hash unique, so if many people use the same password (like "s3cr3t" or "p@ssw0rd") there's not recognisable pattern of in your db. – dirkgroten Feb 04 '20 at 14:14
  • Dictionary is the same a brute-force more or less. Just use the list of 10000 or 100000 most used passwords plus all the words in the English/French/whatever dictionary. Brute-force is assuming a length and cycling through all possible letter/number/character combinations. – dirkgroten Feb 04 '20 at 14:18
  • Regarding the "common secret" remember that **no one**, even not your own employees, should have easy access to any user's data without appropriate security measures. So hiding stuff in code still means that any of your developers has access to it. Most data breaches happen via your own employees (phishing, etc...), because they have access to sensitive data. – dirkgroten Feb 04 '20 at 14:28

1 Answers1

1

So will it be difficult to find the password from either brute force attack or rainbow tables?

Short answer: No, if the password is weak, then it'll probably be quite easy to break it. A brute-force attack (trying all character combinations of various lengths) will work for short passwords and a dictionary lookup will work for longer, but common passwords and words.

But that's not the point of salting your hashes: The point is that if you don't re-use salts, an attacker would have to brute-force each password one by one. And using multiple iterations makes it more costly to brute-force them. So it's really a matter of gaining time to warn your users (and let them change their passwords) when you are breached.

Note that a rainbow table attack isn't possible with salts: A rainbow table is essentially a pre-hashed table of many many possible passwords, that makes if very fast to find matches. So with a salt that won't work, again, an attacker would have to create the rainbow table for every salt in your database, which defeats the purpose of these tables.

TL;DR Your users should still use strong passwords, that are difficult/impossible to brute-force.

dirkgroten
  • 20,112
  • 2
  • 29
  • 42