-5

I don't understand why we hash data like passwords. I know it's harder to steal hashed data rather than just plain text, and it takes longer, but once one of those public hashing methods gets cracked, lots of that data's gonna be stolen. And by the time there's another method, you're gonna have (possibly) things like account hijacking, credit card fraud, etc. With technology exponentially growing in power, It doesn't seem that secure. In other words, why is hashing so important if it'll be cracked sooner or later? Edit: Sorry if I'm sounding like a noob, I'm new to databases and want to make a login system, and thought of this along the way.

DisplayName241
  • 19
  • 4
    If you're putting "encrypted rather than hashed passwords in a DB, you've already flunked security 101 – whatsisname Jul 21 '20 at 01:53
  • 3
    "but you could just look up a decryptor" not sure what this means, but encryption typically involves a secret key which (because it is secret) can't be looked up. You would have to guess the key, which is computationally unfeasible given sufficient entropy. – John Wu Jul 21 '20 at 03:18
  • 1
    I think they have confused encryption for hashing, and were making reference to using a rainbow table to figure out what the hashed password might be. – aasukisuki Jul 21 '20 at 03:46
  • @Nat I revised my question, is it any clearer now? – DisplayName241 Jul 23 '20 at 18:06
  • 1
    You can't just replace "encryption" and "hashing" but otherwise try to have the same question. The two are so different it's like asking a question about bicycles then replacing the word "bicycle" with "submarine" and expecting it to make sense even though both are vehicles. – whatsisname Jul 29 '20 at 21:50
  • 6
    "I'm new to databases and want to make a login system" - don't. You will get it wrong. You will cause a security breach. There are plenty of login systems out there already, just use one of those. And if you really have to write your own, do not try and write your own crypto for it. – Philip Kendall Jul 29 '20 at 22:59

6 Answers6

10

For the same reason you lock your doors when you are gone: It makes it more difficult for someone to steal from you. Additionally, there are steps you can take when "encrypting" data (salting for example - I think you were probably talking about hashing passwords, which is different than encrypting.) that would make it more difficult to decrypt. You couldn't simply, say, compare against a rainbow table looking for known values.

There is no such thing as a 100% secure system. The goal is to keep making things more and more difficult to intruders to where the reward isn't worth the trouble.

aasukisuki
  • 278
7

I know it could slow [hackers] down, but you could just look up a decryptor.

Sure. But that's missing the point. For any good encryption algorithm, everyone knows the decryptor. Everyone knows the algorithm. Yet trillions of dollars flow over the web with no problem at all. How?

Because security is based on keys, not algorithms. Even if you know the algorithm, and you know the ciphertext it is computationally difficult (read: millions and millions of CPU-hours) to decode the text. "could slow hackers down" is a gross understatement. Since you have the key, you don't need to do all of that processing. You can get back to the plaintext with effectively a few hundred XORs.

Instead of taking a few dozen milliseconds to read, good encryption without the key makes your data take a few dozen centuries to read (or maybe a few dozen years or months for "low risk" stuff like the SSL connection to StackExchange).

Telastyn
  • 109,398
1

Hy,

Encryption is a way of keeping your data safe and confidential as it is sent over the internet. Whenever you send personal information across the internet, be it passwords, credit card information or personal contact details, encryption stops others from seeing what you are doing.

Encryption should be enabled for everything by default, not a feature you turn on only if you're doing something you consider worth protecting.

You can use strong encryption algorithm like AES,and one time pad for securing your data.

More reference:

https://blog.storagecraft.com/5-common-encryption-algorithms/

https://en.wikipedia.org/wiki/Strong_cryptography

AjayGohil
  • 241
0

You can't just look up a decryptor. In order to decrypt encrypted data, you need to know the encryption key, which is secret.

If they told you the encryption key, the encryption would be pointless, which is why they don't tell you the encryption key.

user253751
  • 4,873
  • a key that needs to be stored somewhere on the machine doing the decryption, and stored in such a way that the machine can get the cleartext version of it or the decryption won't work. – jwenting Jul 30 '20 at 06:19
0

You say everything will be cracked sooner or later. However, according to the laws of physics (mostly quantum physics which gives us a minimum amount of energy to make any change to a system, and an estimate of the total mass of everything in the universe), it is physically impossible to make 2^256 changes to any system. Which means it is physically impossible to just crack one message protected with a 256 bit key.

So no, everything will not be cracked sooner or later.

gnasher729
  • 44,814
  • 4
  • 64
  • 126
0

So I guess I was quite confused... I must've been confusing encoding with hashing and hashing with encryption. I'll read more about hashing sometime soon. Thanks for all the support, though!

DisplayName241
  • 19