Hashed Password

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

A password should never be stored in plain text. or it can be copied out and used by an attacker.

Context

  • Many providers store passwords locally by hashing the password used a secret number as a "salt" for the hashing algorithm.
  • One example of a system using stored passwords is Microsoft AD.
  • The concept is that the password is not stored in the prover, so it cannot be stolen from the provider.

Problem

  • If the password hash is taken from a provider, it can be used to sign-into that provider.
  • In one well-known attack against air-gapped systems, many users had the same password in providers on both sides of the gap. So if (1) the password hash could be obtained in one side of the gap, and (2) the same AD hash was used on both sides of the gap, then anyone with privileged access on one side could access the other side using the same hash.


Attacks

References