I received an email in response to my post How To Avoid ClearText
asks the following question:
…Thus if a hacker steals the hashed password from your database, he
will be able to write an application that gives the hash to WSE and he
will authenticate successfully - which is exactly what we are trying
to avoid by storing the hashed passwords in the first place. \
The bottom line: this approach won’t really solve the real problem -
if I steal the hash from the database, I will be able to uthenticate
successfully. I’d love this to work the way you describe but as a
security-conscious developer I’m still losing sleep.
Although this is a true scenario, the author makes an assumption that is
false. The purpose of storing a hashed password is NOT to stop a hacker
who obtains the hash from being able to authenticate as that user.
Think of it this way, if I’m a hacker and I am able to compromise your
user database and obtain a user’s hashed password, why would I ever try
to authenticate as that user? Since I already have my grubby hands in
the cookie jar, I might as well grab all the data directly from your
Rather, the purpose of hashing a password with a salt value is to
provide security to the user of the system that rogue employees of the
company and hackers who compromise the database cannot use my password
to log into other sites I frequent.
Ideally your database isn’t compromised very often, otherwise you have
bigger problems than whether or not passwords are hashed.
That’s why a security minded developer doesn’t stop at hashing
passwords. Code security is never enough and is only a small part of the
equation. The IT staff have to make sure the database itself is secure
and not likely to be compromised. Staff with access to the system must
be trained to deal with social engineering attacks. What good is a
hashed password if I can call up tech support and get any information I
need by posing as an executive?
So to the author of this email, I suggest you don’t lose sleep over the
hashed password scenario. As a security conscious developer, you have a
huge number of other attack scenarios to lose sleep over. ;-)