Blog | G5 Cyber Security

Hash Breaches: Why They Still Matter

G5 Cyber Security

TL;DR

Even with strong encryption and secure storage, a hash leak is serious because hashes can be cracked to reveal original passwords. This allows attackers access to accounts and systems. Protecting the salt used with your hashes is crucial, as it significantly impacts cracking difficulty.

Understanding Hashes

A hash is like a one-way fingerprint of data (like a password). You can easily calculate the hash from the password, but you can’t get the original password back from the hash itself. This is why they’re used for storing passwords – instead of keeping the actual password, we store its hash.

Why a Hash Leak is Bad

  1. Cracking Attempts: Attackers use techniques like brute-force attacks and dictionary attacks to try and find the original password that matches the leaked hash. Faster computers and pre-computed tables (rainbow tables) make cracking easier over time.
  2. Rainbow Tables: These are pre-calculated tables of hashes for common passwords. If your system uses a weak or default salt, attackers can use rainbow tables to quickly find matching passwords.
  3. Credential Stuffing: Attackers try the leaked username/password combinations on other websites and services. People often reuse passwords, so a breach on one site can compromise accounts elsewhere.

The Role of Salt

Salt is random data added to each password before hashing. It makes rainbow tables useless because each password has a unique salt.

# Example Python code (simplified) - DO NOT USE IN PRODUCTION WITHOUT PROPER SECURITY LIBRARIES!
import hashlib

salt = "your_unique_salt"
password = "mysecretpassword"
salted_password = salt + password
hash_object = hashlib.sha256(salted_password.encode())
hex_dig = hash_object.hexdigest()
print(hex_dig)

Without a unique salt for each password, all passwords with the same value will generate the same hash.

Steps to Mitigate Risk After a Hash Leak

  1. Invalidate Leaked Hashes: Force password resets for accounts associated with leaked hashes.
  2. Monitor for Credential Stuffing: Use tools and services that detect when compromised credentials are being used on your systems.
  3. Strengthen Password Policies: Enforce strong, unique passwords. Consider multi-factor authentication (MFA).
  4. Review Hashing Algorithm & Salt Length: Ensure you’re using a modern hashing algorithm like bcrypt or Argon2 and a sufficiently long salt (at least 16 bytes is recommended).
  5. Implement Rate Limiting: Limit the number of failed login attempts to slow down brute-force attacks.

Protecting Your Hashes in the First Place

  1. Use a Strong Hashing Algorithm: bcrypt and Argon2 are designed to be computationally expensive, making cracking harder.
  2. Generate Unique Salts for Each Password: Never reuse salts!
  3. Store Salts Securely: The salt must be stored alongside the hash. If an attacker gets both, they can crack the password.
  4. Regular Security Audits: Have your systems regularly audited by security professionals to identify vulnerabilities.
Exit mobile version