Bear with me, I have been only learning PHP for only a few weeks, so example code may confuse me. I think I finally understand salting! It’s to protect passwords inside database, if breached.
What I don’t understand is, why would a hacker have to crack hashes if they are trying to figure out a user’s password (assuming that’s their goal)? Wouldn’t this be easier? Is the only defense from password guessing is to implement a limit of password entry X amount of times a day or CAPTCHA?
How would a database get hacked in the first place? Is it more password guessing or can hashes be obtained through MySQL injection?
Thanks!
Yes, salting is to protect against the passwords from ever being reversed into plaintext. It also stops someone from saying “the encrypted password is the same on site A as on site B, so the user has the same password in both places”.
This isn’t just to protect users against hackers; it’s also to protect them against you.
Yes, the only defense against password guessing is to slow down or disallow repeated attempts. Most CAPTCHAs are breakable or broken, and you can’t impose a CAPTCHA or guess limit on someone who has a copy of the raw database. So keep even the encrypted data out of the hands of malicious individuals. Don’t let them at your .htpasswd or /etc/shadow file or your database.
If you are not using salt, generating a rainbow table (in advance) is much easier than guessing a very strong password directly. The key is that building the reverse mapping hash->password can be done once, and the (unsalted) hash is broken forever to anyone possessing the rainbow table.
The database could be hacked if your provider is compromised, if there is an injection vulnerability in your code, if your DB user account password is guessed, if your provider uses eBay to sell off the (presumed wiped) hard drive that had a three-year-old copy of your database on it… It can happen many ways.