How are passwords stolen from companies if they only store hashes?Why do some large companies still store passwords in plain text/decrypt-able format?I've heard that salt is not meant to be secret, but what if I made it secret?Email hacking mythHow to store passwords securely in my server?How secure are “pattern” passwords?Are bad passwords used to breach security in real life?What are the security implications of storing multiple hashes for similar passwords?How safe is it to store your passwords in web browsers?What are the security risks of logging the hash of rejected passwords?Trouble understanding how passwords are authenticated
Why do newer 737s use two different styles of split winglets?
Knife as defense against stray dogs
Adventure Game (text based) in C++
Why does a Star of David appear at a rally with Francisco Franco?
As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a firewall or is iptables sufficient?
Professor being mistaken for a grad student
Book: Young man exiled to a penal colony, helps to lead revolution
What is "focus distance lower/upper" and how is it different from depth of field?
Simplify an interface for flexibly applying rules to periods of time
How to make healing in an exploration game interesting
What did “the good wine” (τὸν καλὸν οἶνον) mean in John 2:10?
World War I as a war of liberals against authoritarians?
Violin - Can double stops be played when the strings are not next to each other?
How are passwords stolen from companies if they only store hashes?
How difficult is it to simply disable/disengage the MCAS on Boeing 737 Max 8 & 9 Aircraft?
About the actual radiative impact of greenhouse gas emission over time
Is there a symmetric-key algorithm which we can use for creating a signature?
How can we have a quark condensate without a quark potential?
Why does overlay work only on the first tcolorbox?
Do the common programs (for example: "ls", "cat") in Linux and BSD come from the same source code?
Is a party consisting of only a bard, a cleric, and a warlock functional long-term?
Recruiter wants very extensive technical details about all of my previous work
Time travel from stationary position?
Describing a chess game in a novel
How are passwords stolen from companies if they only store hashes?
Why do some large companies still store passwords in plain text/decrypt-able format?I've heard that salt is not meant to be secret, but what if I made it secret?Email hacking mythHow to store passwords securely in my server?How secure are “pattern” passwords?Are bad passwords used to breach security in real life?What are the security implications of storing multiple hashes for similar passwords?How safe is it to store your passwords in web browsers?What are the security risks of logging the hash of rejected passwords?Trouble understanding how passwords are authenticated
Everywhere I look it says servers store passwords in hashed form, but then you have those breaking news about hackers stealing passwords from large companies. What am I missing?
passwords
New contributor
add a comment |
Everywhere I look it says servers store passwords in hashed form, but then you have those breaking news about hackers stealing passwords from large companies. What am I missing?
passwords
New contributor
3
Have you ever heard of password cracking?
– kelalaka
8 hours ago
1
Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.
– peterh
7 hours ago
4
"Everywhere I look it says servers store passwords in hashed form" No, it says servers should store passwords in hashed form!!
– Lightness Races in Orbit
3 hours ago
add a comment |
Everywhere I look it says servers store passwords in hashed form, but then you have those breaking news about hackers stealing passwords from large companies. What am I missing?
passwords
New contributor
Everywhere I look it says servers store passwords in hashed form, but then you have those breaking news about hackers stealing passwords from large companies. What am I missing?
passwords
passwords
New contributor
New contributor
New contributor
asked 9 hours ago
W2aW2a
361
361
New contributor
New contributor
3
Have you ever heard of password cracking?
– kelalaka
8 hours ago
1
Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.
– peterh
7 hours ago
4
"Everywhere I look it says servers store passwords in hashed form" No, it says servers should store passwords in hashed form!!
– Lightness Races in Orbit
3 hours ago
add a comment |
3
Have you ever heard of password cracking?
– kelalaka
8 hours ago
1
Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.
– peterh
7 hours ago
4
"Everywhere I look it says servers store passwords in hashed form" No, it says servers should store passwords in hashed form!!
– Lightness Races in Orbit
3 hours ago
3
3
Have you ever heard of password cracking?
– kelalaka
8 hours ago
Have you ever heard of password cracking?
– kelalaka
8 hours ago
1
1
Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.
– peterh
7 hours ago
Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.
– peterh
7 hours ago
4
4
"Everywhere I look it says servers store passwords in hashed form" No, it says servers should store passwords in hashed form!!
– Lightness Races in Orbit
3 hours ago
"Everywhere I look it says servers store passwords in hashed form" No, it says servers should store passwords in hashed form!!
– Lightness Races in Orbit
3 hours ago
add a comment |
4 Answers
4
active
oldest
votes
When you hear that passwords got stolen, sometimes companys will report it even if it's just that hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately there are still companys that store there passwords incorrectly for example if you search for the rockyou password breach you'll find that they were storing there passwords in clear text which ment that they were compromised as soon as they were stolen. Other cases such as Adobe password breach there was miss handling of storing the encrypted passwords in there database. Other times companys use hashing on there passwords but use insecure hashing algorithms or they don't salt there passwords properly. In short if a company follows recommended password storage methods the passwords in theory should be safe in there hashed form but a good company will still inform there customers of the breach. However, there are plenty of examples where companys do not store passwords correctly leading them to be cracked quite quickly.
2
The plural of "company" is "companies", not "company's".
– Roddy of the Frozen Peas
1 hour ago
add a comment |
There are two common failings, over an above letting the databases or files get stolen in the first place.
Unfortunately, and against all security recommendations, many systems still store clear text passwords.
Hashed passwords are technically not reversible, but as has been pointed out by others, it's possible to hash millions of password guesses then simply look for matches. In fact, what usually happens is that tables of precomputed passwords and hashes (Rainbow Tables) are available and used to look for matches. A good rainbow table can support a high percentage match in fractions of a second per password hash.
Using a salt (an extra non-secret extension of the password) in the hash prevents the use of pre-computed rainbow tables.
Most compromisers depend upon rainbow tables. Computing their own hash set is certainly possible, but it's extremely time consuming (as in months or longer), so it's generally the vanilla hash that's vulnerable.
Using a salt stops rainbow tables, and a high round count of hashed hashes of hashes can make brute force transition from months to years or longer. Most institutions simply don't implement this level of security.
add a comment |
You hash a large number of passwords, then check if the output matches any of the stored hashes. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.
When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)
Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)
However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.
If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.
Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)
The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)
Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.
add a comment |
Servers don't store passwords in hashed format, this is something that is implemented by us.
As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.
If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).
In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in anyway secure.
Let's say a company has 1000 customer passwords, all of which are hashed.
Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.
"5 minutes?! But they were hashed!"....
Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.
Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:
Password: Security
MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45
I then just run some favorable hacking tools against those hashes to "crack" them.
Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead research the more stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.
Edit
After re-reading the title you do indeed specify "How are passwords stolen if they only store hashes"
The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).
New contributor
1
What do you mean that "servers don't do that", and who is "us" (relevant because the layer of the stack is involved)?
– chrylis
1 hour ago
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
W2a is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205519%2fhow-are-passwords-stolen-from-companies-if-they-only-store-hashes%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
When you hear that passwords got stolen, sometimes companys will report it even if it's just that hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately there are still companys that store there passwords incorrectly for example if you search for the rockyou password breach you'll find that they were storing there passwords in clear text which ment that they were compromised as soon as they were stolen. Other cases such as Adobe password breach there was miss handling of storing the encrypted passwords in there database. Other times companys use hashing on there passwords but use insecure hashing algorithms or they don't salt there passwords properly. In short if a company follows recommended password storage methods the passwords in theory should be safe in there hashed form but a good company will still inform there customers of the breach. However, there are plenty of examples where companys do not store passwords correctly leading them to be cracked quite quickly.
2
The plural of "company" is "companies", not "company's".
– Roddy of the Frozen Peas
1 hour ago
add a comment |
When you hear that passwords got stolen, sometimes companys will report it even if it's just that hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately there are still companys that store there passwords incorrectly for example if you search for the rockyou password breach you'll find that they were storing there passwords in clear text which ment that they were compromised as soon as they were stolen. Other cases such as Adobe password breach there was miss handling of storing the encrypted passwords in there database. Other times companys use hashing on there passwords but use insecure hashing algorithms or they don't salt there passwords properly. In short if a company follows recommended password storage methods the passwords in theory should be safe in there hashed form but a good company will still inform there customers of the breach. However, there are plenty of examples where companys do not store passwords correctly leading them to be cracked quite quickly.
2
The plural of "company" is "companies", not "company's".
– Roddy of the Frozen Peas
1 hour ago
add a comment |
When you hear that passwords got stolen, sometimes companys will report it even if it's just that hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately there are still companys that store there passwords incorrectly for example if you search for the rockyou password breach you'll find that they were storing there passwords in clear text which ment that they were compromised as soon as they were stolen. Other cases such as Adobe password breach there was miss handling of storing the encrypted passwords in there database. Other times companys use hashing on there passwords but use insecure hashing algorithms or they don't salt there passwords properly. In short if a company follows recommended password storage methods the passwords in theory should be safe in there hashed form but a good company will still inform there customers of the breach. However, there are plenty of examples where companys do not store passwords correctly leading them to be cracked quite quickly.
When you hear that passwords got stolen, sometimes companys will report it even if it's just that hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately there are still companys that store there passwords incorrectly for example if you search for the rockyou password breach you'll find that they were storing there passwords in clear text which ment that they were compromised as soon as they were stolen. Other cases such as Adobe password breach there was miss handling of storing the encrypted passwords in there database. Other times companys use hashing on there passwords but use insecure hashing algorithms or they don't salt there passwords properly. In short if a company follows recommended password storage methods the passwords in theory should be safe in there hashed form but a good company will still inform there customers of the breach. However, there are plenty of examples where companys do not store passwords correctly leading them to be cracked quite quickly.
edited 25 mins ago
answered 8 hours ago
Dam30nDam30n
712
712
2
The plural of "company" is "companies", not "company's".
– Roddy of the Frozen Peas
1 hour ago
add a comment |
2
The plural of "company" is "companies", not "company's".
– Roddy of the Frozen Peas
1 hour ago
2
2
The plural of "company" is "companies", not "company's".
– Roddy of the Frozen Peas
1 hour ago
The plural of "company" is "companies", not "company's".
– Roddy of the Frozen Peas
1 hour ago
add a comment |
There are two common failings, over an above letting the databases or files get stolen in the first place.
Unfortunately, and against all security recommendations, many systems still store clear text passwords.
Hashed passwords are technically not reversible, but as has been pointed out by others, it's possible to hash millions of password guesses then simply look for matches. In fact, what usually happens is that tables of precomputed passwords and hashes (Rainbow Tables) are available and used to look for matches. A good rainbow table can support a high percentage match in fractions of a second per password hash.
Using a salt (an extra non-secret extension of the password) in the hash prevents the use of pre-computed rainbow tables.
Most compromisers depend upon rainbow tables. Computing their own hash set is certainly possible, but it's extremely time consuming (as in months or longer), so it's generally the vanilla hash that's vulnerable.
Using a salt stops rainbow tables, and a high round count of hashed hashes of hashes can make brute force transition from months to years or longer. Most institutions simply don't implement this level of security.
add a comment |
There are two common failings, over an above letting the databases or files get stolen in the first place.
Unfortunately, and against all security recommendations, many systems still store clear text passwords.
Hashed passwords are technically not reversible, but as has been pointed out by others, it's possible to hash millions of password guesses then simply look for matches. In fact, what usually happens is that tables of precomputed passwords and hashes (Rainbow Tables) are available and used to look for matches. A good rainbow table can support a high percentage match in fractions of a second per password hash.
Using a salt (an extra non-secret extension of the password) in the hash prevents the use of pre-computed rainbow tables.
Most compromisers depend upon rainbow tables. Computing their own hash set is certainly possible, but it's extremely time consuming (as in months or longer), so it's generally the vanilla hash that's vulnerable.
Using a salt stops rainbow tables, and a high round count of hashed hashes of hashes can make brute force transition from months to years or longer. Most institutions simply don't implement this level of security.
add a comment |
There are two common failings, over an above letting the databases or files get stolen in the first place.
Unfortunately, and against all security recommendations, many systems still store clear text passwords.
Hashed passwords are technically not reversible, but as has been pointed out by others, it's possible to hash millions of password guesses then simply look for matches. In fact, what usually happens is that tables of precomputed passwords and hashes (Rainbow Tables) are available and used to look for matches. A good rainbow table can support a high percentage match in fractions of a second per password hash.
Using a salt (an extra non-secret extension of the password) in the hash prevents the use of pre-computed rainbow tables.
Most compromisers depend upon rainbow tables. Computing their own hash set is certainly possible, but it's extremely time consuming (as in months or longer), so it's generally the vanilla hash that's vulnerable.
Using a salt stops rainbow tables, and a high round count of hashed hashes of hashes can make brute force transition from months to years or longer. Most institutions simply don't implement this level of security.
There are two common failings, over an above letting the databases or files get stolen in the first place.
Unfortunately, and against all security recommendations, many systems still store clear text passwords.
Hashed passwords are technically not reversible, but as has been pointed out by others, it's possible to hash millions of password guesses then simply look for matches. In fact, what usually happens is that tables of precomputed passwords and hashes (Rainbow Tables) are available and used to look for matches. A good rainbow table can support a high percentage match in fractions of a second per password hash.
Using a salt (an extra non-secret extension of the password) in the hash prevents the use of pre-computed rainbow tables.
Most compromisers depend upon rainbow tables. Computing their own hash set is certainly possible, but it's extremely time consuming (as in months or longer), so it's generally the vanilla hash that's vulnerable.
Using a salt stops rainbow tables, and a high round count of hashed hashes of hashes can make brute force transition from months to years or longer. Most institutions simply don't implement this level of security.
answered 5 hours ago
user10216038user10216038
75717
75717
add a comment |
add a comment |
You hash a large number of passwords, then check if the output matches any of the stored hashes. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.
When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)
Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)
However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.
If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.
Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)
The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)
Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.
add a comment |
You hash a large number of passwords, then check if the output matches any of the stored hashes. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.
When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)
Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)
However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.
If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.
Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)
The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)
Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.
add a comment |
You hash a large number of passwords, then check if the output matches any of the stored hashes. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.
When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)
Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)
However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.
If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.
Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)
The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)
Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.
You hash a large number of passwords, then check if the output matches any of the stored hashes. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.
When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)
Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)
However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.
If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.
Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)
The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)
Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.
edited 6 hours ago
answered 6 hours ago
Future SecurityFuture Security
779211
779211
add a comment |
add a comment |
Servers don't store passwords in hashed format, this is something that is implemented by us.
As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.
If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).
In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in anyway secure.
Let's say a company has 1000 customer passwords, all of which are hashed.
Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.
"5 minutes?! But they were hashed!"....
Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.
Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:
Password: Security
MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45
I then just run some favorable hacking tools against those hashes to "crack" them.
Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead research the more stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.
Edit
After re-reading the title you do indeed specify "How are passwords stolen if they only store hashes"
The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).
New contributor
1
What do you mean that "servers don't do that", and who is "us" (relevant because the layer of the stack is involved)?
– chrylis
1 hour ago
add a comment |
Servers don't store passwords in hashed format, this is something that is implemented by us.
As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.
If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).
In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in anyway secure.
Let's say a company has 1000 customer passwords, all of which are hashed.
Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.
"5 minutes?! But they were hashed!"....
Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.
Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:
Password: Security
MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45
I then just run some favorable hacking tools against those hashes to "crack" them.
Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead research the more stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.
Edit
After re-reading the title you do indeed specify "How are passwords stolen if they only store hashes"
The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).
New contributor
1
What do you mean that "servers don't do that", and who is "us" (relevant because the layer of the stack is involved)?
– chrylis
1 hour ago
add a comment |
Servers don't store passwords in hashed format, this is something that is implemented by us.
As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.
If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).
In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in anyway secure.
Let's say a company has 1000 customer passwords, all of which are hashed.
Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.
"5 minutes?! But they were hashed!"....
Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.
Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:
Password: Security
MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45
I then just run some favorable hacking tools against those hashes to "crack" them.
Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead research the more stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.
Edit
After re-reading the title you do indeed specify "How are passwords stolen if they only store hashes"
The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).
New contributor
Servers don't store passwords in hashed format, this is something that is implemented by us.
As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.
If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).
In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in anyway secure.
Let's say a company has 1000 customer passwords, all of which are hashed.
Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.
"5 minutes?! But they were hashed!"....
Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.
Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:
Password: Security
MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45
I then just run some favorable hacking tools against those hashes to "crack" them.
Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead research the more stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.
Edit
After re-reading the title you do indeed specify "How are passwords stolen if they only store hashes"
The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).
New contributor
edited 7 hours ago
New contributor
answered 7 hours ago
Tipping44Tipping44
742
742
New contributor
New contributor
1
What do you mean that "servers don't do that", and who is "us" (relevant because the layer of the stack is involved)?
– chrylis
1 hour ago
add a comment |
1
What do you mean that "servers don't do that", and who is "us" (relevant because the layer of the stack is involved)?
– chrylis
1 hour ago
1
1
What do you mean that "servers don't do that", and who is "us" (relevant because the layer of the stack is involved)?
– chrylis
1 hour ago
What do you mean that "servers don't do that", and who is "us" (relevant because the layer of the stack is involved)?
– chrylis
1 hour ago
add a comment |
W2a is a new contributor. Be nice, and check out our Code of Conduct.
W2a is a new contributor. Be nice, and check out our Code of Conduct.
W2a is a new contributor. Be nice, and check out our Code of Conduct.
W2a is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205519%2fhow-are-passwords-stolen-from-companies-if-they-only-store-hashes%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
Have you ever heard of password cracking?
– kelalaka
8 hours ago
1
Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.
– peterh
7 hours ago
4
"Everywhere I look it says servers store passwords in hashed form" No, it says servers should store passwords in hashed form!!
– Lightness Races in Orbit
3 hours ago