Register | Sign In


Understanding through Discussion


EvC Forum active members: 46 (9230 total)
1 online now:
Newest Member: Freya
Post Volume: Total: 921,547 Year: 1,869/6,935 Month: 299/333 Week: 20/40 Day: 2/6 Hour: 0/2


EvC Forum Side Orders Coffee House

Scammers

Thread  Details

Email This Thread
Newer Topic | Older Topic
  
Author Topic:   Scammers
PaulK
Member
Posts: 18131
Joined: 01-10-2003
Member Rating: 6.2

Normal Thread Display

(1)
Message 7 of 14 (920904)
12-06-2024 1:39 PM 		Reply to: Message 6 by Percy
12-06-2024 10:54 AM

Re: Security and Scamming
quote:
When you create an account at a secure website, it saves away an encrypted copy of the password you provide using a one-way encryption method, meaning that it cannot be decrypted. When you log in it encrypts the password you enter and compares it to the encrypted copy it has saved away. If they match then it logs you in.
That is usually referred to as “hashing” rather than “encrypting” .
On a secure site the hash will be stored with a random “salt” which gets added to the password for the hash function. The salt means that people who choose the same password do not end up with the same hash value.
quote:
But the next time you log in it will encrypt it again and it will result in a different string. It has to call another function to compare the two strings to see if they're both valid encryptions of your password.
I’ve not heard of that one, and I don’t see how it can work as described.
Generally you should be submitting passwords over a secure connection which will be encrypted, but the encrypted password will be decrypted before it is sent (with the salt) to the hash function.
There is another detail - the hash function must not be too easy to run, or hackers could simply try every possibility until they find one that works. No cryptography is immune to brute-forcing - and as computer power becomes more easily available steps must be taken to keep the problems intractable enough that brute-forcing is impractical - or at least uneconomic. That’s why secure sites use specialised hash functions these days - general cryptographic hashes used to be used but efficiency is a virtue in other applications so they are not difficult enough.
Just one more point. While there are reasonable concerns about password managers - though they can benefit some people - reusing passwords is a bad idea anyway. Especially for your bank account. That should have a password that you have never ever used for anything else at all. Password databases do get hacked and released. Old password databases will be based on cryptographic algorithms that are no longer secure. Hackers may well try your username and old passwords elsewhere. (In fact I once got a blackmail email that pretended to have hacked my computer - and the “evidence” was that they knew an old password that had been replaced years before.)
This message is a reply to:
 Message 6 by Percy, posted 12-06-2024 10:54 AM Percy has replied
Replies to this message:
 Message 8 by Rahvin, posted 12-06-2024 3:06 PM PaulK has replied
 Message 11 by Percy, posted 12-07-2024 10:59 AM PaulK has replied
  
PaulK
Member
Posts: 18131
Joined: 01-10-2003
Member Rating: 6.2

Normal Thread Display
Message 9 of 14 (920908)
12-06-2024 3:21 PM 		Reply to: Message 8 by Rahvin
12-06-2024 3:06 PM

Re: Security and Scammin
quote:
The "salt" part is used so that neither the client (your browser) nor the server (whatever you're logging onto) has the complete picture. You have the password, but don't know the right salt. The server knows the salt and the salted hash of your password, but never stores the actual password. A malicious attacker cannot take information from any single entity and get a complete logon credential.
That wouldn’t work. The only thing an attacker needs is the password - the salt is always used to check it on the server.
The original purpose of salting was to harden against “rainbow tables”. But, as I said it also ensures that if users happen to pick the same password they don’t end up with the same hash.
This message is a reply to:
 Message 8 by Rahvin, posted 12-06-2024 3:06 PM Rahvin has replied
Replies to this message:
 Message 10 by Rahvin, posted 12-06-2024 3:28 PM PaulK has not replied
  
PaulK
Member
Posts: 18131
Joined: 01-10-2003
Member Rating: 6.2

Normal Thread Display

(1)
Message 12 of 14 (920930)
12-07-2024 11:54 AM 		Reply to: Message 11 by Percy
12-07-2024 10:59 AM

Re: Security and Scamming
quote:
This site, using PHP, works that way, though I could have explained it better. password_hash() is called using PASSWORD_BCRYPT as the algorithm. When a user logs in password_verify() checks the user-entered password against the saved hash to see if the saved hash is a valid hash of that password.

The old approach of comparing the hashed password against the saved hash no longer works because password_hash() generates a different hash each time it is called with the same password.
I think you may have misunderstood how it works. If you are using password_hash() it chooses a salt. You can’t use password_hash() for verification because it will choose a new salt and get a different hash. Under the hood it’s still comparing the hash directly, you just don’t see it. (Before PHP 8.0 there was apparently the option to provide a salt instead of letting the function choose one, but that no longer works).
Two factor authentication is more secure because an attacker needs to obtain the second factor as well as the password. SMS is probably the least secure version but even so it’s still an improvement over a password.
This message is a reply to:
 Message 11 by Percy, posted 12-07-2024 10:59 AM Percy has seen this message but not replied
  
Date format: mm-dd-yyyy
Timezone: ET (US)
  
Newer Topic | Older Topic
Jump to:


Copyright 2001-2023 by EvC Forum, All Rights Reserved

™ Version 4.2
Innovative software from Qwixotic © 2025