Timeline for A question about storing passwords
Current License: CC BY-SA 3.0
13 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Jun 16, 2020 at 10:01 | history | edited | CommunityBot | Commonmark migration | |
| Sep 17, 2013 at 14:32 | comment | added | recursion.ninja | I think you are misunderstanding how to encrypt the file. You never ever store the password, the password's hash, or the symmetric key anywhere. They are all derived at runtime. If you do not store the hash in the database, the hash is not vulnerable to attack. There is not need to store the hash in the database so don't store it! | |
| Sep 15, 2013 at 16:18 | answer | added | John R. Strohm | timeline score: 1 | |
| Sep 15, 2013 at 14:38 | comment | added | user40980 | If the first part of the question is answered, please ask a new question with the new information. There are now two questions in this question - "is it possible for an attacker to modify the hash inside the file to some common hash like the hash of the text 'password' so that the password becomes 'password'?" and "how do programs like zip, 7z, rar etc store passwords inside a archive file?" - these should be separate questions. | |
| Sep 15, 2013 at 13:30 | history | edited | Ranbir Kaif | CC BY-SA 3.0 | added 1085 characters in body |
| Sep 14, 2013 at 22:38 | answer | added | gbjbaanb | timeline score: 1 | |
| Sep 14, 2013 at 16:03 | answer | added | recursion.ninja | timeline score: 6 | |
| Sep 14, 2013 at 14:38 | comment | added | user7043 | Ranbir Kaif, could you elaborate on the scenario? Who is involved, what might they do, and which of these actions do you want to prevent? Try applying concepts such as confidentiality and data integrity. It sounds like the attacker has access to the .dat file, so just prepending a hash to the plain text won't help. Even if your code reliably refuses to handle .dat files without the right password, any attacker can just modify the contents (including a password hash and salt) directly. | |
| Sep 14, 2013 at 14:28 | comment | added | user7043 | @thorstenmüller Huh? Salting is useful even if the attacker knows it, because it multiplies the attacker's work by the number of distinct salts (and they should be distinct). Moreover, since you need to store the salt to verify the password, you usually can't avoid the attacker learning the salt once they learn the hash (if you had a more secure location where you stored the salt, you would have just stored the hash there to begin with). | |
| Sep 14, 2013 at 11:04 | comment | added | thorsten müller | That's one reason why you add a salt to your password before hashing. Helps only as long as the attacker can't find out the salt string of course. | |
| Sep 14, 2013 at 10:58 | comment | added | Nemanja Boric | "If a program stores hashed password in the database file..." Yes, and this is how reset password functions are working. | |
| Sep 14, 2013 at 10:51 | review | First posts | |||
| Sep 14, 2013 at 12:50 | |||||
| Sep 14, 2013 at 10:33 | history | asked | Ranbir Kaif | CC BY-SA 3.0 |