This also means that attackers can’t create a precomputed list of likely hashes, or create a table of partial hash calculations, known as as a rainbow table, that can accelerate hash checking. SHA256("RANDOM2-DUCK") = 13D538.FEA0DC6DBB5C <- Changing just one input byte produces a wildly different hash You can see the effect of salting here, when we hash the word DUCK with three different prefixes:
#Slack news password
SHA256("DUCK") = 7FB376.DEAD4B3AF008 Īnd by including a per-user salt, which doesn’t need to be secret, merely unique to each user, you ensure that even if two users choose the same password, they won’t end up with the same password hash. Hashes are essentially “non-reversible” mathematical functions that are easy to calculate in one direction, but not in the other.įor example, it’s easy to calculate that:īut the only way to work “backwards” from 7FB376.DEAD4B3AF008 to DUCK is to work forwards from every possible word in the dictionary and see if any of them come out with the value you’re trying to match: Salt, hash and stretch…Īccording to Slack, the leaked data was not merely hashed, but salted too, meaning that each user’s password was first mixed together with random data unique to that user before the hash function was applied. HTTP headers are a good example of this, given that they’re meant to be instructions to your browser, not data for display in the web page you’re looking at.Īnd data that’s irrelevant or invisible to users often ends up in logs anyway, especially in firewall logs, where it could be preserved indefinitely. And because the data was sent over a TLS connection, eavesdroppers wouldn’t have been able to sniff it out along the way, because it wouldn’t get decrypted until it reached the other end of the connection.”īut network packets often include data that’s never normally used or seen by recipients. “Most recipients wouldn’t have noticed that the data they received included any hashed password information, because that information, although included in the network packets sent, was never deliberately displayed to them. We’re guessing that this translates as follows: Slack’s security advisory doesn’t explain the breach very clearly, saying merely that “his hashed password was not visible to any Slack clients discovering it required actively monitoring encrypted network traffic coming from Slack’s servers.”
0 kommentar(er)
