dubey/WebGoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added notes on salted hash (#758)

Browse Source
This commit is contained in:
René Zubcevic 2020-02-27 07:20:58 +01:00 committed by GitHub
parent 208aa42fdb
commit 5f3dff4921
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
webgoat-lessons/crypto/src/main/resources/lessonPlans/en/hashing_plan.adoc
View File

@ -1,6 +1,6 @@
= Cryptography Basics
== Hashing
== Plain Hashing
Hashing is a type of cryptography which is mostly used to detect if the original data has been changed. A hash is generated from the original data. It is based on irreversible cryptographic techniques.
If the original data is changed by even one byte, the resulting hash is also different.
@ -10,6 +10,11 @@ So in a way it looks like a secure technique. However, it is NOT and even NEVER
Some hashing algorithms should no longer be used: MD5, SHA-1
For these hashes it is possible to change the payload in such a way that it still results in the same hash. This takes a lot of computing power, but is still a feasible option.
== Salted Hashes
Plain passwords should obviously not be stored in a database. And the same goes for plain hashes.
The https://owasp.org/www-project-cheat-sheets/cheatsheets/Password_Storage_Cheat_Sheet.html[OWASP Password Storage Cheat Sheet,window=_blank] explains what should be used when password related information needs to be stored securely.
== Assignment
Now let's see if you can find what passwords matches which hashes.
Now let's see if you can find what passwords matches which plain (unsalted) hashes.