28 lines
1.4 KiB
Plaintext
28 lines
1.4 KiB
Plaintext
=== What is the potential impact?
|
|
|
|
Despite best efforts, even well-guarded systems might have vulnerabilities that
|
|
could allow an attacker to gain access to the hashed passwords. This could be
|
|
due to software vulnerabilities, insider threats, or even successful phishing
|
|
attempts that give attackers the access they need.
|
|
|
|
Once the attacker has these hashes, they will likely attempt to crack them using
|
|
a couple of methods. One is brute force, which entails trying every
|
|
possible combination until the correct password is found. While this can be
|
|
time-consuming, having the same salt for all users or a short salt can make the
|
|
task significantly easier and faster.
|
|
|
|
If multiple users have the same password and the same salt, their password
|
|
hashes would be identical. This means that if an attacker successfully cracks
|
|
one hash, they have effectively cracked all identical ones, granting them access
|
|
to multiple accounts at once.
|
|
|
|
A short salt, while less critical than a shared one, still increases the odds of
|
|
different users having the same salt. This might create clusters of password
|
|
hashes with identical salt that can then be attacked as explained before.
|
|
|
|
With short salts, the probability of a collision between two users' passwords
|
|
and salts couple might be low depending on the salt size. The shorter the salt,
|
|
the higher the collision probability. In any case, using longer,
|
|
cryptographically secure salt should be preferred.
|
|
|