2

I read that when salting passwords, it is advised to use a h(pwd||salt) construction instead of h(salt||pwd), the latter being vulnerable to a length extension attack.

What are possible scenarios in which being able to extend a salted password is useful for an attacker ?

I am aware that there are better ways of storing passwords than just salting them, though I would still like to know, supposedly in a case where only salted passwords are used, how being able to do length extension attacks is useful to an attacker.

Gregory45
  • 21
  • 2
  • 1
    __You should never ever use a simple hash for passwords in the first place__. And once you do proper password hashing the question gets irrelevant. See [How to securely hash passwords?](https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords) – Steffen Ullrich Oct 25 '20 at 12:14
  • 1
    @SteffenUllrich I am aware of that, as stated in my post. Though I would still like to know, supposedly in a case where only salted passwords are used, how being able to do length extension attacks is useful to an attacker. – Gregory45 Oct 25 '20 at 12:26

1 Answers1

1

No, they are not applicable at all.

Two cases;

  1. Online password try with the application interface: The attacker has no control to execute a length extension attack.

  2. The attackers have a write access to the server:

    To be able to execute a length extension attack on the passwords, you need to know the original passwords, too. If a password is hashed then actually it is stored as

    h(salt||pwd||pad1)

    With the length extension attack, it will be

    h(salt||pwd||pad1||extension||pad2)

    Therefore, they need to know the original, too. Hey wait there, if they can access to write then they can modify it with h(salt||password that that know)

Length extension attacks work when the attacker can modify the message that is going to be sent or during the transmission. An example is the Flicker API

Final note: For passwords, you need a memory-hard password hashing with calculation timing control ( possibly with iteration). The current trend is to use Argon2.

kelalaka
  • 5,474
  • 4
  • 24
  • 47