Collaborate Disseminate
I only store password hashes in the database and use them to verify the password entered by the user. As far as I know, reversing a hash is impractical. So even if I have the password hash, I can only compare it with other hashes, not calc… Continue reading Why is it a problem when password hashes are leaked?
I’m currently using PostgreSQL with the pgcrypto extension to store and verify user passwords. When a user logs in, I compare the entered password with the stored hash using the following query:
SELECT id FROM users
WHERE email = ‘example… Continue reading Is using `crypt` in PostgreSQL for password comparison secure against timing attacks?
There is a bug bounty website, I can download any file uploaded on it, including files of other users. However, I need to know the md5 hash of a file to download it.
The uploaded files can be any type: images, pdf, video, audio, doc, etc.
… Continue reading Can we reduce the search space for viable MD5 hashes?
There is a bug bounty website, I can download any file uploaded on it, including files of other users. However, I need to know the md5 hash of a file to download it.
The uploaded files can be any type: images, pdf, video, audio, doc, etc.
… Continue reading Can we reduce the search space for viable MD5 hashes?
I did find some information online stating that LM hashes were deactivated by default since Vista / Windows Server 2008.
But when were NT hashes introduced for the first time?
(Also, do we have a primary source for this?)
Continue reading When did Windows switch to NT hashes? [closed]
At $work we need to store a sensitive attribute of a user (say SSN – so, short and with a small keyspace) and look up the user based on this attribute when data is submitted into our system. We cannot use off-the-shelf bcrypt/scrypt/etc. b… Continue reading How can I securely store a sensitive user attribute used for account lookup?
Trying to crack a hash that’s 8 numeric characters. But am confused on how to create the wordlist for the program to try all the passwords containing only numbers. Can anyone point me in right direction?
My application requires users to connect via different protocol that each have different auth flows and hash requirements, in particular Argon2 and SHA-256 (for SCRAM-SHA-256).
To allow both types of authentication at the same time I would… Continue reading Storing multiple hashes of the same password
I’m writing my own networking layer for my video games startup and am using TCP for connection/authentication. I wanted to know how safe my authentication scheme was and what I could do to improve it.
Our apps aren’t web, and they run most… Continue reading What’s wrong with my app authentication scheme?
Hacking — at least the kind where you’re breaking into stuff — is very much a learn-by-doing skill. There’s simply no substitute for getting your hands dirty and just trying …read more Continue reading Hacking an IoT Camera Reveals Hard-Coded Root Password