How are passwords stolen from companies if they only store hashes?Why do some large companies still store passwords in plain text/decrypt-able format?I've heard that salt is not meant to be secret, but what if I made it secret?Email hacking mythHow to store passwords securely in my server?How secure are “pattern” passwords?Are bad passwords used to breach security in real life?What are the security implications of storing multiple hashes for similar passwords?How safe is it to store your passwords in web browsers?What are the security risks of logging the hash of rejected passwords?Trouble understanding how passwords are authenticated

The German vowel “a” changes to the English “i”

Is it true that good novels will automatically sell themselves on Amazon (and so on) and there is no need for one to waste time promoting?

Why do tuner card drivers fail to build after kernel update to 4.4.0-143-generic?

Did Ender ever learn that he killed Stilson and/or Bonzo?

How do you talk to someone whose loved one is dying?

Is a party consisting of only a bard, a cleric, and a warlock functional long-term?

How difficult is it to simply disable/disengage the MCAS on Boeing 737 Max 8 & 9 Aircraft?

Does this sum go infinity?

Converting a variable frequency to TTL HIGH and LOW levels, based on a fixed (possible non-fixed?) frequency

I got the following comment from a reputed math journal. What does it mean?

Is "upgrade" the right word to use in this context?

Do I need to be arrogant to get ahead?

Bach's Toccata and Fugue in D minor breaks the "no parallel octaves" rule?

How are passwords stolen from companies if they only store hashes?

Are Roman Catholic priests ever addressed as pastor

Describing a chess game in a novel

What is "focus distance lower/upper" and how is it different from depth of field?

Recruiter wants very extensive technical details about all of my previous work

PTIJ: Who should I vote for? (21st Knesset Edition)

How to make healing in an exploration game interesting

How do I hide Chekhov's Gun?

New passport but visa is in old (lost) passport

Are all passive ability checks floors for active ability checks?

ERC721: How to get the owned tokens of an address



How are passwords stolen from companies if they only store hashes?


Why do some large companies still store passwords in plain text/decrypt-able format?I've heard that salt is not meant to be secret, but what if I made it secret?Email hacking mythHow to store passwords securely in my server?How secure are “pattern” passwords?Are bad passwords used to breach security in real life?What are the security implications of storing multiple hashes for similar passwords?How safe is it to store your passwords in web browsers?What are the security risks of logging the hash of rejected passwords?Trouble understanding how passwords are authenticated













2















Everywhere I look it says servers store passwords in hashed form, but then you have those breaking news about hackers stealing passwords from large companies. What am I missing?










share|improve this question







New contributor




W2a is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 3





    Have you ever heard of password cracking?

    – kelalaka
    3 hours ago






  • 1





    Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.

    – peterh
    2 hours ago
















2















Everywhere I look it says servers store passwords in hashed form, but then you have those breaking news about hackers stealing passwords from large companies. What am I missing?










share|improve this question







New contributor




W2a is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 3





    Have you ever heard of password cracking?

    – kelalaka
    3 hours ago






  • 1





    Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.

    – peterh
    2 hours ago














2












2








2








Everywhere I look it says servers store passwords in hashed form, but then you have those breaking news about hackers stealing passwords from large companies. What am I missing?










share|improve this question







New contributor




W2a is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












Everywhere I look it says servers store passwords in hashed form, but then you have those breaking news about hackers stealing passwords from large companies. What am I missing?







passwords






share|improve this question







New contributor




W2a is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




W2a is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




W2a is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 3 hours ago









W2aW2a

111




111




New contributor




W2a is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





W2a is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






W2a is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 3





    Have you ever heard of password cracking?

    – kelalaka
    3 hours ago






  • 1





    Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.

    – peterh
    2 hours ago













  • 3





    Have you ever heard of password cracking?

    – kelalaka
    3 hours ago






  • 1





    Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.

    – peterh
    2 hours ago








3




3





Have you ever heard of password cracking?

– kelalaka
3 hours ago





Have you ever heard of password cracking?

– kelalaka
3 hours ago




1




1





Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.

– peterh
2 hours ago






Passwords could be stolen also by eavesdropping them on the points they pass unencrypted. And at least on a point they are unencrypted, namely on the keyboard of the user.

– peterh
2 hours ago











3 Answers
3






active

oldest

votes


















2














When you here that passwords being stolen sometimes company's will report that and recommend action even if it's just that hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately there are still company's that store there passwords incorrectly for example if you search for the rockyou password breach you'll find that they were storing there passwords in clear text witch ment that they were compromised as soon as they were stolen. Other cases such as Adobe password breach there was miss handling of storing the encrypted passwords in there database. Other times company's use hashing on there passwords but use insecure hashing algorithms or they don't salt there passwords properly. In short if a company follows recommended password storage methods the passwords in theory should be safe in there hashed form but a good company will still inform there customers of the breach. However, there are plenty of examples where company's do not store passwords correctly leading them to be cracked quite quickly.






share|improve this answer






























    1














    Servers don't store passwords in hashed format, this is something that is implemented by us.



    As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.



    If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).



    In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in anyway secure.



    Let's say a company has 1000 customer passwords, all of which are hashed.



    Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.



    "5 minutes?! But they were hashed!"....



    Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.



    Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:



    Password: Security



    MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45



    I then just run some favorable hacking tools against those hashes to "crack" them.



    Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead research the more stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.



    Edit



    After re-reading the title you do indeed specify "How are passwords stolen if they only store hashes"



    The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).






    share|improve this answer










    New contributor




    Tipping44 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.



























      1














      You hash a large number of passwords, then check if the output matches any of the stored hashes. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.



      When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)




      Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)



      However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.



      If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.




      Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)



      The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)



      Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.






      share|improve this answer
























        Your Answer








        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "162"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader:
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        ,
        noCode: true, onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );






        W2a is a new contributor. Be nice, and check out our Code of Conduct.









        draft saved

        draft discarded


















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205519%2fhow-are-passwords-stolen-from-companies-if-they-only-store-hashes%23new-answer', 'question_page');

        );

        Post as a guest















        Required, but never shown

























        3 Answers
        3






        active

        oldest

        votes








        3 Answers
        3






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        2














        When you here that passwords being stolen sometimes company's will report that and recommend action even if it's just that hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately there are still company's that store there passwords incorrectly for example if you search for the rockyou password breach you'll find that they were storing there passwords in clear text witch ment that they were compromised as soon as they were stolen. Other cases such as Adobe password breach there was miss handling of storing the encrypted passwords in there database. Other times company's use hashing on there passwords but use insecure hashing algorithms or they don't salt there passwords properly. In short if a company follows recommended password storage methods the passwords in theory should be safe in there hashed form but a good company will still inform there customers of the breach. However, there are plenty of examples where company's do not store passwords correctly leading them to be cracked quite quickly.






        share|improve this answer



























          2














          When you here that passwords being stolen sometimes company's will report that and recommend action even if it's just that hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately there are still company's that store there passwords incorrectly for example if you search for the rockyou password breach you'll find that they were storing there passwords in clear text witch ment that they were compromised as soon as they were stolen. Other cases such as Adobe password breach there was miss handling of storing the encrypted passwords in there database. Other times company's use hashing on there passwords but use insecure hashing algorithms or they don't salt there passwords properly. In short if a company follows recommended password storage methods the passwords in theory should be safe in there hashed form but a good company will still inform there customers of the breach. However, there are plenty of examples where company's do not store passwords correctly leading them to be cracked quite quickly.






          share|improve this answer

























            2












            2








            2







            When you here that passwords being stolen sometimes company's will report that and recommend action even if it's just that hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately there are still company's that store there passwords incorrectly for example if you search for the rockyou password breach you'll find that they were storing there passwords in clear text witch ment that they were compromised as soon as they were stolen. Other cases such as Adobe password breach there was miss handling of storing the encrypted passwords in there database. Other times company's use hashing on there passwords but use insecure hashing algorithms or they don't salt there passwords properly. In short if a company follows recommended password storage methods the passwords in theory should be safe in there hashed form but a good company will still inform there customers of the breach. However, there are plenty of examples where company's do not store passwords correctly leading them to be cracked quite quickly.






            share|improve this answer













            When you here that passwords being stolen sometimes company's will report that and recommend action even if it's just that hashed passwords that were stolen. This is so you can take action in the case that they are broken. Unfortunately there are still company's that store there passwords incorrectly for example if you search for the rockyou password breach you'll find that they were storing there passwords in clear text witch ment that they were compromised as soon as they were stolen. Other cases such as Adobe password breach there was miss handling of storing the encrypted passwords in there database. Other times company's use hashing on there passwords but use insecure hashing algorithms or they don't salt there passwords properly. In short if a company follows recommended password storage methods the passwords in theory should be safe in there hashed form but a good company will still inform there customers of the breach. However, there are plenty of examples where company's do not store passwords correctly leading them to be cracked quite quickly.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered 3 hours ago









            Dam30nDam30n

            311




            311























                1














                Servers don't store passwords in hashed format, this is something that is implemented by us.



                As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.



                If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).



                In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in anyway secure.



                Let's say a company has 1000 customer passwords, all of which are hashed.



                Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.



                "5 minutes?! But they were hashed!"....



                Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.



                Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:



                Password: Security



                MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45



                I then just run some favorable hacking tools against those hashes to "crack" them.



                Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead research the more stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.



                Edit



                After re-reading the title you do indeed specify "How are passwords stolen if they only store hashes"



                The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).






                share|improve this answer










                New contributor




                Tipping44 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                Check out our Code of Conduct.
























                  1














                  Servers don't store passwords in hashed format, this is something that is implemented by us.



                  As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.



                  If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).



                  In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in anyway secure.



                  Let's say a company has 1000 customer passwords, all of which are hashed.



                  Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.



                  "5 minutes?! But they were hashed!"....



                  Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.



                  Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:



                  Password: Security



                  MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45



                  I then just run some favorable hacking tools against those hashes to "crack" them.



                  Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead research the more stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.



                  Edit



                  After re-reading the title you do indeed specify "How are passwords stolen if they only store hashes"



                  The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).






                  share|improve this answer










                  New contributor




                  Tipping44 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                  Check out our Code of Conduct.






















                    1












                    1








                    1







                    Servers don't store passwords in hashed format, this is something that is implemented by us.



                    As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.



                    If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).



                    In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in anyway secure.



                    Let's say a company has 1000 customer passwords, all of which are hashed.



                    Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.



                    "5 minutes?! But they were hashed!"....



                    Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.



                    Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:



                    Password: Security



                    MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45



                    I then just run some favorable hacking tools against those hashes to "crack" them.



                    Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead research the more stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.



                    Edit



                    After re-reading the title you do indeed specify "How are passwords stolen if they only store hashes"



                    The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).






                    share|improve this answer










                    New contributor




                    Tipping44 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.










                    Servers don't store passwords in hashed format, this is something that is implemented by us.



                    As we are not discussing how the passwords have been stolen, and more so the aftermath, I'll avoid the many number of factors said companies should implement to help prevent these data breaches.



                    If you make a website and manage the database, it's down to us to store that information efficiently. If we don't, when there is a data breach attackers can view passwords in what may as well be plain text, as often is the case (depending on the way in which these are stored).



                    In short, you'd never want this to happen! -- Password cracking is a very common and real thing, just because passwords are hashed does not make them in anyway secure.



                    Let's say a company has 1000 customer passwords, all of which are hashed.



                    Let's say 600 of those customers had a password, 8 characters long, the likelihood of those passwords being cracked within the first 5 minutes (being generous) is very high.



                    "5 minutes?! But they were hashed!"....



                    Yeah, but the passwords of those 600 customers were still poor, along with an equally poor hashing algorithm.



                    Without going into too much detail in the interest of simplifying the explanation; password cracking works by simply matching the hash to a dictionary file of words, running through each word to see if their hash matches the ones that have been obtained from those 600 customers, for example, your password might be:



                    Password: Security



                    MD5 Hashed: 2FAE32629D4EF4FC6341F1751B405E45



                    I then just run some favorable hacking tools against those hashes to "crack" them.



                    Should you ever want to store passwords yourself, MD5 should be avoided, above was purely for example purposes. Instead research the more stronger types of hashing algorithms, it makes it much harder for attackers to successfully make use of the passwords they have stolen.



                    Edit



                    After re-reading the title you do indeed specify "How are passwords stolen if they only store hashes"



                    The short answer; hashing, or whatever format you store your passwords has no effect on the ability for hackers to steal these. They are stolen because of a variety of different vulnerabilities. There are a multitude of attacks in which help obtain passwords (hashed or not).







                    share|improve this answer










                    New contributor




                    Tipping44 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.









                    share|improve this answer



                    share|improve this answer








                    edited 2 hours ago





















                    New contributor




                    Tipping44 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.









                    answered 2 hours ago









                    Tipping44Tipping44

                    412




                    412




                    New contributor




                    Tipping44 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.





                    New contributor





                    Tipping44 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.






                    Tipping44 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                    Check out our Code of Conduct.





















                        1














                        You hash a large number of passwords, then check if the output matches any of the stored hashes. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.



                        When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)




                        Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)



                        However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.



                        If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.




                        Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)



                        The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)



                        Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.






                        share|improve this answer





























                          1














                          You hash a large number of passwords, then check if the output matches any of the stored hashes. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.



                          When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)




                          Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)



                          However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.



                          If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.




                          Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)



                          The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)



                          Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.






                          share|improve this answer



























                            1












                            1








                            1







                            You hash a large number of passwords, then check if the output matches any of the stored hashes. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.



                            When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)




                            Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)



                            However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.



                            If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.




                            Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)



                            The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)



                            Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.






                            share|improve this answer















                            You hash a large number of passwords, then check if the output matches any of the stored hashes. Brute force cracking is feasible because people do not usually choose highly unpredictable passwords.



                            When a password database is stolen, the stolen material includes all the information necessary to do offline cracking. (It's simply a guess and check process. Other methods may be available with less secure hashing or password storage methods.)




                            Hashing passwords with a preimage resistant functions with a sufficiently unpredictable input is enough to make it impossible recover a password. (An inhumanly strong password.)



                            However, most people don't do this in the real world, a stolen database of hashes is potentially as worrying as a list of unhashed passwords for a large subset of users on a typical website.



                            If the password cracker finds candidate password whose hash matches the one stored in the database, then he will have recovered the original (weak) password.




                            Alternatively, if a hash function is not preimage resistant (including when the output of the hash is too short) a guess-and-check procedure may produce false positives. (Alternative passwords not identical to the original.)



                            The accounts of users from the company with the data breach are still vulnerable because these passwords will unlock a user's account, even if they aren't identical to the original password. (The server has no way to tell if it's the original password. The hash still matches the one in the stolen database in this case.)



                            Don't intentionally use an insecure hash function, of course... It's still possible to infer the original password or narrow down the number of possibilities. Which would still make users that reuse passwords on other websites extra vulnerable.







                            share|improve this answer














                            share|improve this answer



                            share|improve this answer








                            edited 1 hour ago

























                            answered 1 hour ago









                            Future SecurityFuture Security

                            759211




                            759211




















                                W2a is a new contributor. Be nice, and check out our Code of Conduct.









                                draft saved

                                draft discarded


















                                W2a is a new contributor. Be nice, and check out our Code of Conduct.












                                W2a is a new contributor. Be nice, and check out our Code of Conduct.











                                W2a is a new contributor. Be nice, and check out our Code of Conduct.














                                Thanks for contributing an answer to Information Security Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid


                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.

                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f205519%2fhow-are-passwords-stolen-from-companies-if-they-only-store-hashes%23new-answer', 'question_page');

                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown







                                Popular posts from this blog

                                Disable / Remove link to Product Items in Cart Planned maintenance scheduled April 23, 2019 at 23:30 UTC (7:30pm US/Eastern) Announcing the arrival of Valued Associate #679: Cesar Manara Unicorn Meta Zoo #1: Why another podcast?How can I limit products that can be bought / added to cart?Remove item from cartHide “Add to Cart” button if specific products are already in cart“Prettifying” the custom options in cart pageCreate link in cart sidebar to view all added items After limit reachedLink products together in checkout/cartHow to Get product from cart and add it againHide action-edit on cart page if simple productRemoving Cart items - ObserverRemove wishlist items when added to cart

                                Helsingin valtaus Sisällysluettelo Taustaa | Yleistä sotatoimista | Osapuolet | Taistelut Helsingin ympäristössä | Punaisten antautumissuunnitelma | Taistelujen kulku Helsingissä | Valtauksen jälkeen | Tappiot | Muistaminen | Kirjallisuutta | Lähteet | Aiheesta muualla | NavigointivalikkoTeoksen verkkoversioTeoksen verkkoversioGoogle BooksSisällissota Helsingissä päättyi tasan 95 vuotta sittenSaksalaisten ylivoima jyräsi punaisen HelsinginSuomalaiset kuvaavat sotien jälkiä kaupungeissa – katso kuvat ja tarinat tutuilta kulmiltaHelsingin valtaus 90 vuotta sittenSaksalaiset valtasivat HelsinginHyökkäys HelsinkiinHelsingin valtaus 12.–13.4. 1918Saksalaiset käyttivät ihmiskilpiä Helsingin valtauksessa 1918Teoksen verkkoversioTeoksen verkkoversioSaksalaiset hyökkäävät Etelä-SuomeenTaistelut LeppävaarassaSotilaat ja taistelutLeppävaara 1918 huhtikuussa. KapinatarinaHelsingin taistelut 1918Saksalaisten voitonparaati HelsingissäHelsingin valtausta juhlittiinSaksalaisten Helsinki vuonna 1918Helsingin taistelussa kaatuneet valkokaartilaisetHelsinkiin haudatut taisteluissa kaatuneet punaiset12.4.1918 Helsingin valtauksessa saksalaiset apujoukot vapauttavat kaupunginVapaussodan muistomerkkejä Helsingissä ja pääkaupunkiseudullaCrescendo / Vuoden 1918 Kansalaissodan uhrien muistomerkkim

                                Adjektiivitarina Tarinan tekeminen | Esimerkki: ennen | Esimerkki: jälkeen | Navigointivalikko