When you have a password stored in a database that has been strongly hashed and

Question

When you have a password stored in a database that has been strongly hashed and salted does it really matter if the underlying user password is weak?

If you setup features like limiting login guessing and use captchas to stop automated guessing can you effectively make up for a weak password such as "password"?

I guess my question is does using a password like "password" make the salted hash any weaker than using a longer password such as "fish&*n0d1cTionaRYatt@ck"? - Are all salted hashes equally as secure or does it depend upon the password being a good one?

Explanation / Answer

Salted hashes are designed to protect against attackers being able to attack multiple hashes simultaneously or build rainbow tables of pre-calculated hash values. That is all. They do nothing to improve the underlying strength of the password itself, weak or strong.

This also means that they're not designed to defend against online attacks, so they have no impact on an attackers ability to manipulate your login form, where the salt is irrelevant, because an attacker isn't computing hashes directly, but entering candidate passwords into a form that may be (as you said) rate limited or protected by a captcha.

Weak passwords are weak. Strong passwords are strong. Salts don't affect this equation in any way.

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.