Password authentication

[M.O.S. Studios]

Hey everyone,

 

I’m working on an app for my local intranet sever. My security needs are almost non existent, because it’s only accessible on my local network. Even if someone wanted to mess with it, the only thing this app controls is my fish tank! Yup, it just shows me some information about my water, and let’s me turn on and off devices. So I’m not too worried about it.

That being said, I want to add a password just to keep my coding skills sharp, as I haven’t done anything with php in a while. That being said, I would like some help understanding something...

while looking up the best practices for working with passwords, I found password_hash and password_verify...

 

don’t these two function completely negate the advantages of salting a password?

my understanding is that salting a password makes using a rainbow table impossible. However, what’s stopping someone from just doing a dictionary attack with the password_verify function?

as I said above, my application doesn’t require a lot of security, I’m asking for educational reasons

[mac_gyver]

18 minutes ago, M.O.S. Studios said:

don’t these two function completely negate the advantages of salting a password?

password_hash() generates a random salt per call, if you follow the recommend usage. so, every time the same password gets hashed, the stored hash is different and anyone getting a copy of any such hashed data won't be able to directly find all the entries with the same password once they find an input/hash match for one. they will need to go through the process for each stored hash. the hash algorithm, random salt, and cost are stored with each hash, so it is still possible to generate lookup tables for each combination of these values to shorten the process.

25 minutes ago, M.O.S. Studios said:

However, what’s stopping someone from just doing a dictionary attack with the password_verify function?

the point of hashing passwords is to protect the user's data. it has nothing to do with preventing any type of external attack.

[M.O.S. Studios]

17 minutes ago, mac_gyver said:

the point of hashing passwords is to protect the user's data. it has nothing to do with preventing any type of external attack.

Maybe I am using the wrong terminology.

 

if someone got a hold of the DB, the can see the $2y$10$ And assume that’s how it was encrypted. Then run a list of common passwords through password_validate along with the hash.

 

if it tests each hash against the most common passwords, words, etc..  first, then worked its way down to the least common, it could in theory works out the majority of information.

[requinix]

1 hour ago, M.O.S. Studios said:

if it tests each hash against the most common passwords, words, etc..  first, then worked its way down to the least common, it could in theory works out the majority of information.

And they'll do that. You can't stop them from attempting it, and there's no way to totally defeat brute forcing.

But what proper password hashing does is make it difficult to get many passwords at once. People using "password" or "123456" aren't protected, those will be broken quickly, but people using real passwords will be somewhat safe because the sheer number of passwords to try hashing * the amount of time it takes to hash a password = a very long time. There are techniques to speed up cracking passwords, but they 100% don't work if each password has its own salt.

In other words, using the password_* functions correctly is what you are supposed to do, so that's what you need to do.

[M.O.S. Studios]

I’m asking for educational purposes, I think understanding why is as important as how.

 

so, if I understand correctly, the idea is it strictly prevents comparing hashed password together. So one cracked password doesn’t unlock them all?