hashing – Why do sites store user data all in one user table? Why not separate with salted and hashed unique keys?

Say I’m a Big Company with a bunch of user data, including usernames, email addresses, and salted and hashed passwords. I recognize that I’m susceptible to attack in some way shape or form, despite everything that I’ve done to try to prevent an attacker from gaining access (phishing is stupidly effective, after all).

Suppose I want to separate a hacker from getting to more data. Would it not make more sense for me to set up one table with user data consisting of a unique identifier, their salted and hashed password, and any other relevant data, then create another table of email addresses that has two columns; the email address, and a unique key. However, that unique key is based on a salted and hashed version of the unique key from the original users table that can be replicated (assuming you know the salt and the algorithm used.)

Now, assuming someone enters maliciously, they will have to determine two sets of salts and hashes– one to decrypt the password, and one to decrypt which email address is associated with that username and password. Gaining the email addresses is still valuable for stuff like spam mail, but it’s now double the effort if someone wants to figure out how to log in as a user. This obviously is n

hash – Sending and blocking emails from hashed and salted address ? (for GDPR)

I would like to send emails from server, but also made them unable to trace for me as server owner or attackers. I want this for GDPR but also to protect people from abusers.

Short info about service: I am provider of service as person, not company, emails will be tied to product (invites and service content) with 0 marketing, there will be rate limits preventing spamming, emails will be triggered only by real users, users wont be able to send just any email, but rather use specific templates, nonusers will be recieving emails too (invites).

Will it be enought to just store emails hashed and salted with one system wide salt value? My main concern are mostly nonusers as I cant have their consent before emailing them. So I could provide them way to block abuser or all emails from my server with just storing hashed and salted email and comparing every request to send email against it.

Another problem is, how can I prove, that some user gaved me consent to recieve past emails? Is stored hashed and salted value enough?

Do you know how other big services like Gmail, Mailgun, etc solved this?

Thank you very much for any help or suggestions

Break salted passwords. How many seconds do we need? [closed]

I have the following question to which I know the answer is 2 years, but I cannot figure out why.
Any help is appreciated.

Consider the security of a password file, which includes a 10 bit salt and all passwords are hashed, but known to consist of exactly 8
characters from the following alphabet:

  • lowercase letters (‘a’ to
    ‘z’)
  • uppercase letters (‘A’ to ‘Z’)
  • digits (‘0’ to ‘9’)
  • special characters (‘.’, ‘-‘, ‘_’, ‘+’, ‘<‘, ‘>’, ‘=’, ‘@’)

Assume that a password cracking system, which is able to check 12
billion (10^12) guesses per second and is able to run around the clock
all year, is used to crack the password file. Which of the following
worst case estimates for cracking the password file is most accurate?

encryption – Encrypting salted password hash before storing in the database

I have read here, that instead of using pepper, it is better to encrypt hashed/salted passwords before storing in the database. Especially with Java, as there’s no library for salt/pepper, but just for salt hashing, and I’m not going to implement my own crypto in any way. Have two questions about it:

  1. Is it true? Will it add security, if db server is on the another physical computer, and encryption keys are sored on the app server’s fs?
  2. If so, is it ok to use RSA for hash encryption?
  3. To check password in this case, is it better to read encrypted password from the DB, decrypt it, and then compare it to the hashed/salted one entered by user, or encrypt entered hashed/salted password and then compare with the encrypted value in the database? In this case, will it be the same as using another hash, as encrypted hash is never decrypted?

Thank you

passwords – Use John to crack salted SHA2-512 hash

SHA2-512 hash:
3a1be46a798dce0d880f633ce195b676839a0ce344c917a7ea1270816dcb649ce1e2b811b56fe93c9d3c4e679151180129ee9483ea39bff4d4578c4be6c77e1f

salt:
6806f2c34231eceddf156a42d3c26a2b5219ee9d55f5e3c9aea534167

The password result should be “admin”. But assume you don’t know, you only know the password may be involved in the Kali password list.

How to crack the password using john? Whats the format to store hash & slat in hash.txt that processed by John?

Passwords – Write a simple SHA256 Salted Hash Generator

I saw a video that describes how to write a simple salted hash program in C #. Here.

Below is the code they wrote (easily edited for console applications):

using System;
using System.Text;
using System.Security.Cryptography;

namespace MyApplication
{
    class Program
    {
        const int SALT_SIZE = 10;

        static void Main(string() args)
        {                                
            string salt = CreateSalt();
            string password = "securePassword";
            string hashedPassword = GenerateSHA256Hash(password, salt);

            Console.WriteLine("salt: " + salt);
            Console.WriteLine("hashedPassword: " + hashedPassword);                                   
        }

        private static string CreateSalt()
        {
            var rng = new RNGCryptoServiceProvider();
            var buffer = new byte(SALT_SIZE);
            rng.GetBytes(buffer);

            return Convert.ToBase64String(buffer);
        }

        private static string GenerateSHA256Hash(string input, string salt)
        {
            byte() bytes = Encoding.UTF8.GetBytes(input + salt);
            var hashManager = new SHA256Managed();
            byte() hash = hashManager.ComputeHash(bytes);

            return ByteArrayToHexString(hash);
        }

        private static string ByteArrayToHexString(byte() bytes)
        {
            StringBuilder sb = new StringBuilder(bytes.Length * 2);

            foreach (byte b in bytes)
                sb.AppendFormat("{0:x2}", b);

            return sb.ToString();
        }
    }
}

From what I've read online, salted hashes are one of the safest ways to save passwords.

However, I have a few questions:

  1. I have read that hashing a salted password is not enough. You have to go through it thousands of times to make it difficult for the attackers to brutally force them.

Would it be safer to do something like this and what would be a good number of times to repeat the hashing?

var hash = hashManager.ComputeHash(bytes);

for (int i = 0; i < 10000; i++)
    hash = hashManager.ComputeHash(hash);

I also read that you need to include the salt when you warm up, but I don't understand how to add it properly.

  1. For the salt Buffer size, is 10 a good number to use or would a higher / lower number be safer (e.g. 16)?

  2. I take this with a grain of salt, but I've read that SHA256 is no longer a safe choice because it is too fast, which means that raw forces can be done faster.

This means that fast algorithms like SHA are out of date and have to be replaced by slower ones like bcrypt?

  1. I'm assuming that hex strings are a safe way to store salted hashes. Is that correct?

  2. After applying all the changes from the above questions (if any), would the code above be safe enough to be used in a production environment?

Hash – Add extra rounds to existing salted SHA-512 hashes without knowing the plain text password?

Suppose you have a salted SHA-512 password hash of 5000 rounds. For example:

{CRYPT} $ 6 $ rounds = 5000 $ 6835c5dcf0bb7310 $ hVod / jy7uONMSa.FVpLHb / 2OrWpAj3lB / .RWdvgd3YaQAnzN3rorGhaziswwwGsHfOWZYkLwXhHKnCnCnCy5
  • Could you add more rounds to this hash password (for example, another 5,000 rounds) without knowing the plain text password, so that the hash value would still be valid if a user's plaintext password is verified?

  • If this is possible, as I see fit, are there any tools or code that will allow you to "add more rounds" to this hash?

Btw. The clear text password for the above hash is "password", but it is assumed that this is not known.

Salted sha256 hash hashcat

I have a hash that was generated by concatenating a password with a salt, and then the hashing was repeated 10000 times.

The description for salted sha256 in the issue of hashcat -h is

1410 | sha256 ($ pass. $ salt) | Raw hash, salted and / or iterated

However, I could not find examples online of how the number of iterations for iterated salted sha256 was specified. Is this possible with hashcat? If so, how would I specify the command-line options for hashcat?