1

Many client-server systems use hash functions for the authentication of users password.They use passwords as inputs of different hash functions like MD5,SHA-1 etc and compute hash values.Then they store the hash values in their database.

As far as I know,, if the hash values are known to crackers they can try to retrieve passwords through brute-force attack,dictionary attack ,look up table and so on.

I want to know if the following fact is true or not.

It is necessary to keep hash values secret from crackers if we want to make the authentication system difficult to crack for crackers.

Anders
  • 65,052
  • 24
  • 180
  • 218
  • And [related](http://security.stackexchange.com/questions/18021/is-there-more-to-password-hashing?rq=1) – Tensibai Feb 13 '17 at 15:19

1 Answers1

1

Yes, it is necesarry to keep the hashes secret.

For users with really good (long and random) passwords, a leaked hash might not be the worst that could happend, because it might be unfeasible to crack the hash anyway. But for users with bad (short and not so random) passwords, a leaked hash would in practice mean that their account is comrpomised. Anyone can easily brute force Passw0rd!, no matter how good your hash function are.

Hashing is an example of defence in depth - as a first defence, you do not want your passwords to be leaked, but in case they are anyway you want them to be properly hashed to minimize the damage.

Anders
  • 65,052
  • 24
  • 180
  • 218