Hashed Password

Full Title or Meme

A password should never be stored in plain text. or it can be copied out and used by an attacker.

Context

• Many providers store passwords locally by hashing the password used a secret number as a "salt" for the hashing algorithm.
• One example of a system using stored passwords is Microsoft AD.
• The concept is that the password is not stored in the prover, so it cannot be stolen from the provider.

Problem

• If the password hash is taken from a provider, it can be used to sign-into that provider.
• In one well-known attack against air-gapped systems, many users had the same password in providers on both sides of the gap. So if (1) the password hash could be obtained in one side of the gap, and (2) the same AD hash was used on both sides of the gap, then anyone with privileged access on one side could access the other side using the same hash.
• Hashes need to be upgraded as technology moves forward. NIST had deprecated SHA-1 so it should no longer be used for security solutions, like the hashing of secrets.

Attacks

• Slack leaked hashed passwords from its servers for years

References