1

I am referencing this answer: https://stackoverflow.com/a/4766811/1114105

We re-hash the password, but then we don't really do anything with the hash (we use the POST-submitted plaintext password in the CheckPassword function to authenticate). Can't a hacker bypass the re-hashing part?

Here's my pseudocode underneath.

if a password/username is submitted by POST and $row['password'] is the hashed pword in sql.

$t_hasher = new PasswordHash(13, FALSE);
$hash = $t_hasher->HashPassword($_POST['password']);
$check = $t_hasher->CheckPassword($_POST['password'], $row['password']);
if($check) Great success else Wrong credentials`

Note: I found that the work factor does not make a difference in the time it takes CheckPassword to run. It only increases the time for HashPassword.

Community
  • 1
  • 1
user1114
  • 1,071
  • 2
  • 15
  • 33
  • why not just add a few seconds of sleep() after every attempt; if you only objective is to make it slower. However, is it really worth it, is what you are securing likely yo come under such an attack? –  Dec 27 '11 at 06:32
  • @user557846 No, it is CPU tine that is needed, not clock time. An attacker can use his own system to attack password hashes have been obtained, this is the attack that must be protected against. Keep in mind that the general attack (not spear-fishing) is to obtain the user information for all users, then crack the easy passwords and sell the user credentials + passwords on the dark web. – zaph Jan 01 '19 at 18:48

3 Answers3

1

Well there are two types of attacks against passwords:

  1. The attacker can somehow read out your password hashes which are store in the database (SQL-Injection or any other way to get access to your system). The attacker now wants to get the original password (since the hashed one doesn't get him far).
  2. The attacker uses your login-form repeatedly with different passwords (brute force).

In case 1 he has already circumvented your login-form, he don't cares how much time is needed for one login on your system. But he cares how much time it takes to brute-force the password on his system(s). So the work factor just makes it harder to brute-force the password by trying every combination and hashing it with the same algorithm as your system. "re-hashing" the password to make the login-process longer won't help in this case.

In case 2 however he does care how much time is needed for trying a password on your system because he must do it a lot to get to the right login (plus he must probably guess the username if he can't find that out). The attacker must be very dumb because he will leave traces and wastes time. You can make his life more miserable by blocking his IP after a certain number of failed logins. Plus you could add a sleep after every invalid login (a sleep does not need that much resources as a CPU intensive hashing-operation).

vstm
  • 12,407
  • 1
  • 51
  • 47
  • With phpass the work factor is stored with the hash, so the attacker wouldn't have to guess the work-factor (the reason is so that you can verify the hash even if the phpass configuration is different). But if you hash your passwords in a way that they don't reveal the work-factor, then you were right: the attacker must guess the right work-factor so that the hashes are equal. – vstm Dec 27 '11 at 08:26
  • Just want to check with you and clarify for anyone else: The work factor only matters when we create the hash initially with phpass (the one for putting in the database). If an attacker gets this hash, he can try brute forcing it `$t_hasher = new PasswordHash(**tiny work factor**, FALSE); $check = $t_hasher->CheckPassword(brute forced guess, stolen hash from db); if($check) Great success else Wrong credentials` but whatever work factor the attacker chooses doesn't matter. If the original work factor was really high, even if the attacker chooses a low work factor it will still take a long time – user1114 Dec 29 '11 at 01:35
  • @user1114105: Yes, the attacker **must** use **your** work-factor. So whatever work-factor you choose the attacker must use the exact same if he wants to crack the hash. If he chooses to use a lower work-factor he **never** gets the right password out of the hash. For example: you hash the password "hello" with factor 19. Then the attacker tries to brute-force your hash with factor 2 he will never get "hello" out of it. He might get a match for "1234" but he can't login to your account with that, because for your check it's simply the wrong password. – vstm Dec 29 '11 at 10:31
-1

Increase the cost :

Example code in php :

$hash = "Hello"

$hash = password_hash($password, PASSWORD_DEFAULT,array('cost'=>15));

echo $hash;

var_dump(password_verify($password, $hash));

Thus a cost of 15 takes lot of time to hash and crack it

Above Example shows the hashing process as well as way to verify your hash for the authentication purpose since

"BCRYPT CREATES NEW HASH EVERYTIME IT RUN !!!!"

Put this code in the .php file and then run it too check your code running

Do not forget the < ?php ? >

SHAH HAIDARALI NADIR
  • 1
  • 1
  • *"BCRYPT CREATES NEW HASH EVERYTIME IT RUN !!!!"* needs to be explained, as it is does make take sense. Perhaps you mean the hash is re-calculated each time it is verified with `password_verify`. – zaph Jan 01 '19 at 19:09
-2

No hashing algorithm is secure IMO, however there are a few out there that will slow hackers down, our only hope is they get peep off with it...

Philip
  • 4,592
  • 2
  • 20
  • 28