From 5f3dff492184d2874dd6174094fc16f9fbad1379 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= Date: Thu, 27 Feb 2020 07:20:58 +0100 Subject: [PATCH] added notes on salted hash (#758) --- .../src/main/resources/lessonPlans/en/hashing_plan.adoc | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/hashing_plan.adoc b/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/hashing_plan.adoc index a07b183b8..3536b2623 100644 --- a/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/hashing_plan.adoc +++ b/webgoat-lessons/crypto/src/main/resources/lessonPlans/en/hashing_plan.adoc @@ -1,6 +1,6 @@ = Cryptography Basics -== Hashing +== Plain Hashing Hashing is a type of cryptography which is mostly used to detect if the original data has been changed. A hash is generated from the original data. It is based on irreversible cryptographic techniques. If the original data is changed by even one byte, the resulting hash is also different. @@ -10,6 +10,11 @@ So in a way it looks like a secure technique. However, it is NOT and even NEVER Some hashing algorithms should no longer be used: MD5, SHA-1 For these hashes it is possible to change the payload in such a way that it still results in the same hash. This takes a lot of computing power, but is still a feasible option. +== Salted Hashes + +Plain passwords should obviously not be stored in a database. And the same goes for plain hashes. +The https://owasp.org/www-project-cheat-sheets/cheatsheets/Password_Storage_Cheat_Sheet.html[OWASP Password Storage Cheat Sheet,window=_blank] explains what should be used when password related information needs to be stored securely. + == Assignment -Now let's see if you can find what passwords matches which hashes. +Now let's see if you can find what passwords matches which plain (unsalted) hashes.