Interesting. Makes me want to use a PW manager. I guess it would be worth it to take the time to get familiar with Dropbox. I hate to admit how many times I reuse the same password. Anyway, thanks for posting this. It was a long read, but it opened my eyes.
Peace… - Woody
TL;DR: If a website gets its password hashes dumped, all login credentials on that website are hosed.
Well yeah, we already knew that. Salting and hashing your password database less about making passwords impossible to retrieve and more about delaying the retrieval of the passwords. That way you can alert your users that their login credentials have been compromised and it’s time to replace that compromised password with a new one.
MD5 is a terrible choice for password hashing. MD5 by default is a very fast hashing algorithm and unsalted. Both of those characteristics make it very bad for password hashing, but great for things like checksums where speed is a good thing.
If you use MD5 to hash passwords, you have thoroughly demonstrated that you should be fired.
PW managers are tricky business. They do take care of using a unique password on every service you use for you. That’s great! That protects you from one major piece of fallout from hash dumps. Attackers get a hash dump from one website, crack the hashes, and then use their newly found username/password pairs at other websites that have the same account. If you use the same username and password there, that account has now been compromised.
However, password managers also create a different single point of failure and have a large target on their back. Password managers are not perfect and have been compromised before. Here are a couple of examples:
I would probably never use a PW manager service. I’d rather take the time to use a local password vault app. on my system.
This is probably more a concern for the passwords you save on websites that are badly outdated and than it is for cryptographically locked computers, or big major companies like Amazon who I assume pay millions to keep their database secure.
It’s very easy in that exercise for the md5 hash to be turned back into passwords because brute force algorithms can make tens of thousands of guesses within a few seconds. My assumption here is that they take the md5 program, and run sample words, or generated words through it until it finds a match?
Yep, that’s the routine. They use a dictionary of millions of words including known password patterns along with educated guesses to speed things up.