I\'ve understood that the following steps are taken when I log in to a site: 1.

Question

I've understood that the following steps are taken when I log in to a site: 1. My password is hashed 2. The hash is compared to what's stored in the database. 3. If the hashes are equal, I can log in.

I'm also quite certain that if attackers gain access to the password database, they can use brute force to find the clear-text passwords if the hashing algorithm is weak enough.

My question is, is there any way for an attacker to bypass step 1 above? I.e. if he/she has gained access to a list of hashed passwords, can the hacker present that hash to the server, thus circumventing the hashing step?

Explanation / Answer

This is generally called 'Pass-the-hash' attack.

If authenticating party performs hashing itself and sends hash over the wire then system is likely susceptible to this attack.

Most web applications don't do this though. They instead send the password and server does hashing, so there's no way to send hash directly.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.