Why reset passwords for salted hash leaks?

4 points by rifung 4 years ago | 3 comments

I noticed that after the recent Twitch leak people suggested changing passwords for both Twitch and other sites where you use the same password.

I feel like I'm missing something obvious but given that they only stored a salted hash, how can hackers get your password? My understanding is that using a salted hash should prevent them from using either a rainbow table or dictionary attack.

LinuxBender 4 years ago |

Assuming salts are not reused they negate rainbow tables but you can still crack the passwords it just takes much longer as you have to crack each one individually [1]. This can be done faster by renting hashcat farms or spending a lot of money on hashcat rigs yourself. Not all hashes may be salted correctly. [2]

[1] - https://stackoverflow.com/questions/6776050/how-long-to-brut...

[2] - https://hashcat.net/forum/thread-4429.html

DevopsTux 4 years ago |

Because no hash is eternal and it is only a matter of time between it being leaked and it being cracked. How long depends on a lot of stuff (technology, implementation, password quality and, overall, the value of the account).

Salting, specifically only has one function: making rainbow tables useless and difficulting hash analisys, it is the deffinition of buying you time and making the attacker think twice by requiring more resources (ideally enough that it;s not worth trying)

So, if you know that your users creds are compromised, the only logical answer is to reset them. What you did when hashing is buying time. The difference is that if you bought enough there is little change of incidents from the leak. If you didn't it may get messy. And will.

Matthias1 4 years ago |

People are being cautious, that's all. It's easier to brute-force a password with a hash and a salt than it is to do without them.

People were saying "reset your password" as soon as they saw they saw the headline "Twitch Leak." Which is perfectly fair and probably good advice.

That being said, I haven't even seen it confirmed that the leak contained passwords or user data.

Edit: Twitch says "At this time, we have no indication that login credentials have been exposed." https://blog.twitch.tv/en/2021/10/06/updates-on-the-twitch-s...