Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialRemi Vledder
14,144 PointsIf someone has your hashed password, can they access your account?
In the video the process of hashing and salt is explained.
It's explained that hashing is a one-way process and its goal is to verify that a piece of data hasn't been altered.
So what happens in the form subscription, is that the password is hashed and then send to the database. Then, each time the user logs in, the password filled in on the login form is also hashed and then that hash is compared to the existing hash in the database.
Pretty silly question, but: Does someone with that hash always have access to your account?
i.e. Is it possible for someone with access to the database to use that hash and login on the front-end using the same form page to login? (or an alteration of the form page in that manner)
But also: if the database is hacked, would it then mean that the hacker would have immediate access with that hash to your account as well?
Or is there some sort of security that you cannot do a POST request to the server with a (pre-)hashed input?
2 Answers
Jesus Mendoza
23,289 PointsHey Rami.
That's the sole purpose of hashing your passwords, to protect them.
Typically when you hash a password you use a secret phrase
somewhere safe, a salt
which are some random bits and the plain password
, to create a complex hash. If someone hacked your database and gained access to all the hashed passwords, they would still need to know the secret phrase
and the random bits
used to hash the password to decode them and gain access.
Remi Vledder
14,144 PointsI guess hashing and salting is more that the password is unique to your website?
So if a hacker get's access to your site's database, they will only have the single (hashed AND 'salted') instance of a users password. And will be able to login on the site. But they won't have the un-hashed' password that the user might also use on other sites.
Remi Vledder
14,144 PointsRemi Vledder
14,144 PointsThanks for your reply (and patience).
Decoding is never done in hashes right? That is something that is done in encrypting and decrypting. Where encrypting is more about protecting data in transit, and hashing is done to verify it hasn't been altered.
Since the salt and plain password make up the hash, why is it necessary for the hacker to also know the random bits once they already have the hash? (hacker sends hash via login form === database hash)