I\'m having a friendly debate with someone who thinks that a website can safely

Question

I'm having a friendly debate with someone who thinks that a website can safely make public sensitive data about it's users as long as that data is hashed (don't ask why, it's a long and hypothetical story). My position is that this opens the data up to brute-force attacks at least and that no hash is truly unbreakable given enough time and resource, therefore even hashed data should be protected and kept private. Who's (more) right? Can private data safely be made visible in public as long as it is hashed, or not?

Explanation / Answer

If you're hashing arbitrary data, there's no easy way to reconstruct it, since it doesn't have a predictable pre-hashing size. The reason password hashes that aren't salted are dangerous when leaked is because you're dealing with a very constrained set of possibilities. Without a salt, the password of "password" will always result in the same hash. This allows an attacker to start with common password and see if there are any matches, which there often are. If you take data of an arbitrary size and hash it, you can't reasonably guess what its original content was. Imagine taking a 1 megabyte file and reducing it to a 16 byte MD5 hash. Without any other information about the data, there is no realistic way to turn that hash back into the original information.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.