Today I discovered something incredibly stupid - my friend hashes user passwords

Question

Today I discovered something incredibly stupid - my friend hashes user passwords with sha512 algorithm without a salt. I immediately raised this issue to him but he said he wants to see anyone crack a single password in his database. I told him that without a hash his database is vulnerable to rainbow attack but he said no one had this large rainbow table for sha512 as each has is 64 hex characters long.

How do I convince him that he still needs to add salt? Does anyone know what the hash cracking rate of sha512 is? I could argue then that it would take this much or that much time to crack all 8 char passwords, etc.

Explanation / Answer

He may be technically correct, but it is still bad design.

His approach will mean that duplicate passwords will generate the same hash, which can reduce an attacker's cost (if he finds out a plain text password from one user and is also able to get the password hashes, he can see which accounts use the same password).

His approach is also dependent on the current state of the art of generating hashes. By adding a salt, he 'future-proofs' (I hate that term) his design.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.