Security weak link

Question

I've read a ton of information about hashing and salting passwords, do's, don't etc. The problem I see is this: If a hacker is going to go through the efforts of stealing the list of hashed passwords, doesn't he then have access to all the data that is password protected? It's like storing the combination to a safe, in the safe. Breaking in, and stealing the combination. If I were the thief, I would take the money.

Now a large company probably has a separate server just for authentication. However, the hacker wants data, not passwords. So if both servers are equal, I would break into the one that holds the data.

Is there some basic flaw of computer security that I am missing here? Are there non-social ways to crack a password without the hash file?

Thanks for your assistance.

--Dave

Answer 1

You're assuming such a person has access to the entire database. This isn't always the case. They may have stumbled upon a page where the hashes are accidentally exposed to users (and thus have no access to other parts of the DB), or they may have used SQL injection to pull certain data out in manner that is limited (for example, they might have figured out that your users table is called users, but not that your credit cards table is called lolcats).

Another security consideration is your internal IT folks. Developers with legitimate access to the database generally still shouldn't be seeing everyone's passwords in plaintext.

Answer 2

One reason is that most users have the same password for multiple accounts. An unhashed password means my accounts on other sites could become compromised - especially since email is a common field for logins. By hashing passwords, if a site has their db stolen I'm protected from having my email account compromised at the same time.

Answer 3

Most users will reuse passwords across multiple systems. If an attacker breaks into your system, you don't want him to be able to use your data to break into your users' accounts on different websites.

Also, if you encrypt data using the user's password, and only store a hash of the password, then an attacker won't be able to do anything even if he gets your entire database unless he can crack the hashes. Note that this would make it completely impossible to implement a 'forgot password' feature unless you have a way to decrypt the data using the security answer (making it in effect a second password)