dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added notes on salted hash (#758)

Browse Source
This commit is contained in:
René Zubcevic 2020-02-27 07:20:58 +01:00 committed by GitHub
parent 208aa42fdb
commit 5f3dff4921
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
webgoat-lessons/crypto/src/main/resources/lessonPlans/en/hashing_plan.adoc
View File

@ -1,6 +1,6 @@
= Cryptography Basics = Cryptography Basics
== Hashing == Plain Hashing
Hashing is a type of cryptography which is mostly used to detect if the original data has been changed. A hash is generated from the original data. It is based on irreversible cryptographic techniques. Hashing is a type of cryptography which is mostly used to detect if the original data has been changed. A hash is generated from the original data. It is based on irreversible cryptographic techniques.
If the original data is changed by even one byte, the resulting hash is also different. If the original data is changed by even one byte, the resulting hash is also different.
@ -10,6 +10,11 @@ So in a way it looks like a secure technique. However, it is NOT and even NEVER
Some hashing algorithms should no longer be used: MD5, SHA-1 Some hashing algorithms should no longer be used: MD5, SHA-1
For these hashes it is possible to change the payload in such a way that it still results in the same hash. This takes a lot of computing power, but is still a feasible option. For these hashes it is possible to change the payload in such a way that it still results in the same hash. This takes a lot of computing power, but is still a feasible option.
== Salted Hashes
Plain passwords should obviously not be stored in a database. And the same goes for plain hashes.
The https://owasp.org/www-project-cheat-sheets/cheatsheets/Password_Storage_Cheat_Sheet.html[OWASP Password Storage Cheat Sheet,window=_blank] explains what should be used when password related information needs to be stored securely.
== Assignment == Assignment
Now let's see if you can find what passwords matches which hashes. Now let's see if you can find what passwords matches which plain (unsalted) hashes.