0

A question I came up with while reading in my information security class. Let's say website ABC which uses username and password combinations to authenticate users and has a user John. When John goes to ABC.com to log in to his account and types his password, is the hashed version of the password transmitted to ABC's servers to authenticate John? Wouldn't the hash then just be the password? If an organization was listening in to John and stores the hashed password then they would just have to replay the password at a later time to log in as John.

I thought about ABC using asymmetric keys where the public key is available to John but the private key is stored on ABC's servers. So, John could encrypt his hash with the public key and only ABC could decrypt it using their private key. But then, how does ABC store the private key securely on their server?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Nihal
  • 1
  • 1
  • 1
    You're misunderstanding some basic concepts - a hash is a one-way function, which given a good algorithm is hard to crack (meaning it takes a long time). This hash gets saved in a database usually and compared to the hash received. In modern implementation salt is usually involved, because it wouldn't be enough to just hash it, but that's something to think after you got the gist of it. – Sir Muffington Mar 01 '22 at 18:56
  • Got it, I think I understand how hashes work and why salt is used to avoid attackers from having precomputed hashes. But the hash needs to be transmitted to the website for user authentication. How can this be done securely? – Nihal Mar 01 '22 at 18:58
  • Via HTTPS, so end-to-end encrypted. – Sir Muffington Mar 01 '22 at 18:59
  • 1
    Client-side hashing is uncommon, for the reason that you mentioned in your question, i.e. then the hashed password effectively becomes the password. See https://security.stackexchange.com/questions/53594/why-is-client-side-hashing-of-a-password-so-uncommon for some interesting reading on this subject. WRT your idea of authentication using asymmetric encryption - TLS largely solves this problem. Protocols like PAKE and SRP go a step further - see https://security.stackexchange.com/questions/242811/alternatives-for-sending-plaintext-password-while-login for more info. – mti2935 Mar 01 '22 at 19:00

0 Answers0