I've read a ton of information about hashing and salting passwords, do's, don't etc. The problem I see is this: If a hacker is going to go through the efforts of stealing the list of hashed passwords, doesn't he then have access to all the data that is password protected? It's like storing the combination to a safe, in the safe. Breaking in, and stealing the combination. If I were the thief, I would take the money.
Now a large company probably has a separate server just for authentication. However, the hacker wants data, not passwords. So if both servers are equal, I would break into the one that holds the data.
Is there some basic flaw of computer security that I am missing here? Are there non-social ways to crack a password without the hash file?
Thanks for your assistance.
--Dave
You're assuming such a person has access to the entire database. This isn't always the case. They may have stumbled upon a page where the hashes are accidentally exposed to users (and thus have no access to other parts of the DB), or they may have used SQL injection to pull certain data out in manner that is limited (for example, they might have figured out that your users table is called
users
, but not that your credit cards table is calledlolcats
).Another security consideration is your internal IT folks. Developers with legitimate access to the database generally still shouldn't be seeing everyone's passwords in plaintext.