Avatar of Alfahane
Alfahane asked on

How secure is password Hashing vs password Encryption if the password is quite weak

What is the actual difference in security between storing password hash and storing encrypted password? Say that you use SHA-512 in both cases and the password is 8 characters long.
This question regards one single password where adding salt to it would make no difference (or would it?)

My main issues is the fact that the weakness in the passwords themselves (too short and/or too simple) often pose the biggest risk. Are hashes harder for hackers to manage? Do they require more CPU?

I get the feeling that many of the discussions about hashing supposes that the passwords are strong. But in real life password are often weak and hashes might not always be as secure as they might seem in theory.

Maybe I'm thinking all wrong.
Encryption

Avatar of undefined
Last Comment
Dave Howe

8/22/2022 - Mon
PowerIT

In general, passwords stored in reversible encryption are considered much less secure then passwords stored as a hash.
The risk with reversible encryption is that once you get hold of the encryption key - which has to be stored somewhere ... - you have access to all the passwords.
This is not the case with a hash.
Also, salting helps against attacks against hashes using rainbow tables. Without salts, it's rather easy to find the password using a precalculated lookup table (rainbow tables), especially for short passwords. With salts, rainbow tables are almost impossible to produce, because of the increased length of the passwords and also because of the randomization.
Calculating rainbow tables is not that hard, but it becomes extremely time consuming and storage consuming for longer passwords and certainly with the random part. Currently, for passwords using complexity rules and with a length of 8 characters it is not feasable. E.g. calculating the LM rainbow table of 7 chars, all caps, all nums and all special signs is already 64GB and calculation can take up to two years. And it gets exponentially harder if you add just one character or also lower chars.
Also, you gave the best possible example: SHA-512 (part of the SHA-2 family) currently has no rainbowtables. So just don't use hashes where tables are readily availble, or else: plenty of salt ;-)

See:
http://en.wikipedia.org/wiki/Rainbow_table
http://www.ethicalhacker.net/content/view/94/24/

kr, J.
ASKER CERTIFIED SOLUTION
Dave Howe

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck