I am developing a web application in Java and I want to make the authentication process secure
by using hashed passwords.
In hashing
step-1 : we take the password given by the user and add a salt to it.
step-2 : hash it using MessageDigest and store the hashed value in database
While authenticating a user during login process we repeat both the same steps above, but instead of
storing the hashed value we compare it with the value present in database.
Now forgive my ignorance but what I want to say is if a hacker gets access to the database by any other
means, then it can provide security as the hacker cannot get the real text of password from the hashed
value so easily.
BUT how can it provide security against other forms of attacks like Bruteforce attack, Rainbow attack, dictionary attack etc. as we use the same steps to authenticate the user for login?
I don’t think hashing of passwords now-a-days value that much.
Give me some suggestions….. if I am wrong.
Brute force is brute force. You can’t do anything about it except refusing to try the authentication (or imposing a delay) after N successive failed trials. Of course, if the hacker has the hashed password, he will be able to brute force the password, but the point of a secure hashing function is to make that very very long.
Rainbow/dictionary attacks are solved by the salting. If a user chooses “password” as his password, a rainbow/dictionary attack would find the password immediately. But since you salt the password with a random value, the hashed value will be something like
d7("58gd0}78sq5sQIazuAKpassword, which won’t be in the rainbow table/dictionary.