Welcome to Information Security Stack Exchange
Information Security Stack Exchange is a question and answer site for information security professionals. It's built and run by you as part of the Stack Exchange network of Q&A sites. With your help, we're working together to build a library of detailed answers to every question about Information security.
We're a little bit different from other sites. Here's how:
Ask questions, get answers, no distractions
This site is all about getting answers. It's not a discussion forum. There's no chit-chat.
Just questions...
...and answers.
Good answers are voted up and rise to the top.
The best answers show up first so that they are always easy to find.
The person who asked can mark one answer as "accepted".
Accepting doesn't mean it's the best answer, it just means that it worked for the person who asked.
What could an attacker do if they gained access to PBKDF2 hashes?
This is regarding a web application where a user has to login with their personal email as the ID, and a password they have chosen personally.
If an attacker somehow gained access to a credential store with a list of all the PBKDF2 hashes with the email addresses, to what extent could this be used maliciously?
2378 silver badges15 bronze badges
2 Answers
The attacker would have to crack the hashes in order to obtain the original passwords. Since PBKDF2 does multiple iterations of the same hash function, the act of cracking them would be significantly slower. The end result is that even weaker passwords are less likely be revealed, leading to a significantly lower percentage of successfully cracked passwords in the credential list.
67k20 gold badges217 silver badges275 bronze badges
Assuming the attacker got the salts as well as the hashes, they could run a list of known previously used passwords against the list of hashes and get the passwords of most of the users, since the majority of users use passwords whose plain text has already been compromised somewhere. They couldn’t recover long well-chosen passwords that have never been used before.
10.3k1 gold badge29 silver badges36 bronze badges
Get answers to practical, detailed questions
Focus on questions about an actual problem you have faced. Include details about what you have tried and exactly what you are trying to do.
Not all questions work well in our format. Avoid questions that are primarily opinion-based, or that are likely to generate discussion rather than answers.
Questions that need improvement may be closed until someone fixes them.
Tags make it easy to find interesting questions
All questions are tagged with their subject areas. Each can have up to 5 tags, since a question might be related to several subjects.
Click any tag to see a list of questions with that tag, or go to the tag list to browse for topics that interest you.
What could an attacker do if they gained access to PBKDF2 hashes?
This is regarding a web application where a user has to login with their personal email as the ID, and a password they have chosen personally.
If an attacker somehow gained access to a credential store with a list of all the PBKDF2 hashes with the email addresses, to what extent could this be used maliciously?
2378 silver badges15 bronze badges
You earn reputation when people vote on your posts
Your reputation score goes up when others vote up your questions, answers and edits.
As you earn reputation, you'll unlock new privileges like the ability to vote, comment, and even edit other people's posts.
At the highest levels, you'll have access to special moderation tools. You'll be able to work alongside our community moderators to keep the site focused and helpful.
Improve posts by editing or commenting
Our goal is to have the best answers to every question, so if you see questions or answers that can be improved, you can edit them.
Use edits to fix mistakes, improve formatting, or clarify the meaning of a post.
Use comments to ask for more information or clarify a question or answer.
You can always comment on your own questions and answers. Once you earn 50 reputation, you can comment on anybody's post.
Remember: we're all here to learn, so be friendly and helpful!
The attacker would have to crack the hashes in order to obtain the original passwords. Since PBKDF2 does multiple iterations of the same hash function, the act of cracking them would be significantly slower. The end result is that even weaker passwords are less likely be revealed, leading to a significantly lower percentage of successfully cracked passwords in the credential list.
67k20 gold badges217 silver badges275 bronze badges
Unlock badges for special achievements
Sign up to get started
Signing up allows you to:
- Earn reputation when you help others with questions, answers and edits.
- Select favorite tags to customize your home page.
- Claim your first badge: Informed
Information Security Stack Exchange is part of the Stack Exchange network
Like this site? Stack Exchange is a network of 182 Q&A sites just like it. Check out the full list of sites.
