Re: Encrypted password in db, why does it tell the Hash and iterations in it

[drmike01 <ms...@gmail.com>]

The password is stored as a one-way hash, so it's not really possible to
"decrypt" it. What the salt does is that it makes it resistent to dictionary
attacks. That said, if someone picks the password "password" then one could
figure it out regardless.



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Encrypted-password-in-db-why-does-it-tell-the-Hash-and-iterations-in-it-tp7578510p7578550.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: Encrypted password in db, why does it tell the Hash and iterations in it

[Les Hazlewood <lh...@apache.org>]

You can't inspect the hashed/salted/iterated output and figure out what the
raw password is, even if it is 'password'.  I think Mike was stating that
you could try to take the hashed output, put it in a program (that knows
how to hash things like Shiro), and start trying random values (like
'password').

But for this to happen, the attacker needs to 1) compromise your data store
and pull out all the hashed values, 2) know how to replicate the hashing
algorithm that Shiro uses, and 3) set up a test harness that allows them to
enter in random values.

This is all pretty difficult to do, but not impossible, and that's why the
iteration (or 'complexity factor') component of hashing exists.  Even if an
attacker were able to do all 3 of these things, it would take them an
exponentially long amount of time to brute force compared to if no
complexity factor existed.

HTH,

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282


On Thu, Apr 18, 2013 at 9:21 AM, NabbleSometimesSucks <
bigtrashcaninthesky@yahoo.com> wrote:

> drmike01. Sorry for so late in seeing this.
>
> Are you sure???
>
> That would be scary considering that the hash and the iterations is
> supposed
> to make it impossible for the dictionary attack to easily figure out
> password of password.
>
> If that is true then there is no reason to even encrypt it at all. the
> difference between in plain text and this encryption then would be just
> making it not readable to the visible eye.
>
> The whole purpose of Shiro's encryption here with SHA-128 or SHA-256 is
> that
> dictionary attacks would take a really long time, and that even if they
> figured one password out, that same "key" won't work on other accounts.
>
> Thanks
>
> Mark
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/Encrypted-password-in-db-why-does-it-tell-the-Hash-and-iterations-in-it-tp7578510p7578619.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>

Re: Encrypted password in db, why does it tell the Hash and iterations in it

[NabbleSometimesSucks <bi...@yahoo.com>]

drmike01. Sorry for so late in seeing this.

Are you sure???

That would be scary considering that the hash and the iterations is supposed
to make it impossible for the dictionary attack to easily figure out
password of password.

If that is true then there is no reason to even encrypt it at all. the
difference between in plain text and this encryption then would be just
making it not readable to the visible eye.

The whole purpose of Shiro's encryption here with SHA-128 or SHA-256 is that
dictionary attacks would take a really long time, and that even if they
figured one password out, that same "key" won't work on other accounts.

Thanks

Mark



--
View this message in context: http://shiro-user.582556.n2.nabble.com/Encrypted-password-in-db-why-does-it-tell-the-Hash-and-iterations-in-it-tp7578510p7578619.html
Sent from the Shiro User mailing list archive at Nabble.com.