then if two or more users have the same password, their salts would be the same too; resulting to identical password hashes in your database. that's one of the main things we are trying to prevent here! and it's also a best practice to make sure the salt isn't based on the password itself in any way .
q: what do you think about hash a password with the same password as a salt.. only the user will "know" the salt and you don't need to store the salt..
That is what's called security through obscurity. It will seem very secure until one hacker anywhere in the world figures it out! If that hacker tells the world, every hacker can try cracking the passwords assuming that you used that method. Suddenly, all the people in the world who used that method have to scramble to update their system! The best security is open source. This might seem counter intuitive but it's true. If your system is hard to crack even with the source code known, you have avoided the security through obscurity issue.
Thanks for the explanation of peppers! I didn't know that existed. However... Every time you teach people about MD5 without explicitly warning them it's been cracked, a cryptography fairy dies.
There are 2 concepts of a pepper 1. What was explained here, a small random input that is iterated through when authenticating the user 2. An input like the salt but the same for every password that is stored separately to the password (sometimes, but not wisely in the code itself)
@@digitalalpha2 If you asked me this 2 years ago I might have had an answer (or tripped over myself) but I honestly don't know what I meant with point 1 anymore. A pepper as I know it is point 2. The key points are that it is the same for all passwords, and not stored in the database (so a breach/dump doesn't expose it) If you're learning about password hashing I would dive into the PBKDF2 and bcrypt password hashing functions and what they do.
the answer is, don't use hashes like sha1 for passwords. These hashes were not designed for passwords (read as: not designed to be inefficient and expensive to calculate). They were designed to be super fast to calculate - thus easy to bruteforce. So it's better to use something like BCrypt, PBKDF2, etc...
Randorn Canis Thanks. I didn't even think about using both, but I think I'll take a look at bcrypt. I've heard that a lot of people use it, but I've never really tried it.
LiveOverflow Thanks. But isn't this good news? On the server side, it doesn't matter if if takes a bit longer, but if someone uses a dictionary/brute force attack, it would? Anyways, I'll try out bcrypt.
but the more digits you add the average time to match the password will increase exponentially, in the example, the time it takes for a user to login would ramp up extremely fast and become impractical
1:43 no FAILED you found password but its not correct if use multiple hashes login encrypt password sha512 then sha256 then md5. hash look md5 and if you actually found correct match that would be sha256 HASH as password it wont help bcoza login screen not let you in its wrong password. im genious. why website still use one encrypting when they should use multiple.hacker cant know. even password "1" is secure when hacker cant know how many times its encrypted and what order LOL there is noway create rainbow tables with HASH sized passwords. i have spoked
Like & Subscribe okay so knowing this makes me furious; iirc A PAID (WELL) IT professional that works for a Credit Bureau used "password" as system password that allowed 150 Million credit card users to have their data breached::: OUT(bloody)RAGEOS, CRIMINAL, & INCOMPETENT. WTH? THEY SHOULD FACE CLASS ACTION LAWSUITs TOTALing $Billions IMHO.
I just finished typing a long comment exposing a lot of knowledge that has no business being exposed, but then I remembered the saying "do your filth and keep your mouth shut", so I deleted it. Still, I'm itching to say, this video made me realize how narrow minded most programmers are. Which is great news for me.
The description of a pepper here is interesting, but probably not a good idea. It is better to slow down authentication using a specifically designed system like bcrypt or scrypt.
I only have one question unto those who have a high level of expertise within this field can paswords be encrypted, hashed, salted, and peppered all at the same time thus virtually making it high level to crack by third parties and online viruses etc?
Nice video! Great concept! If anyone is thinking of implementing this into PHP as I first did, don't. It's already implemented in PHP with the function of password_hash & password_verify. Wish I knew that before I implemented it! haha
Very old video but you did get a couple of things wrong, or at least not cover the entire story. for instance, a Rainbow table is not just a straight lookup table. You need to cover chains, and reduction as well to get a clearer picture. But Kudos on the salt and pepper. Companies like joomla even got it wrong at some point using a static salt for all users. Now if your hashes are compromised, it means your db was compromised, thus said actor has the content of the configuration as well, which means they know your salt, and can use any of the existing tables and leak those users.
just to confirm, over http the password and the user name would be sent from the client to the server in plain text and in https (ssl) it would be encrypted? The methods detailed only help the server and database security, but the client is still very vulnerable?
I always wonder if using random even stupid ways of processing a password to a hash would be relatively secure because the attacker wouldn't know what the hell he's looking at.
if hashing is always 1 to 1(a given password will always result in a given hash), why cant hackers mess around with the hashing algorithm to discover a way to un-hash strings? also are all salts appended or can the be prepended or even put in the middle?
also also, won't rainbow tables still be of use if the hacker knows where the "junk" characters are and simply removes them from the hash + salt, as hash +salt -salt = hash?
Please give me reply for this Node js function That takes following input User ID Username University Timestamp Salt Hash type And returns hashed string
I already used hashes and salt but i m kind of confused how to use the pepper. As of rn i dont want to send a plain password to the backend so i add the salt and hash it in the frontend send it to the backend and store it there. for the login i do that comparison of the hashed password in the backend so no plain password enteres the network. however if i would already add the pepper in the frontend it would be really easy to find out. but to add it in the backend i would have to send the password plain and i really dont want that. i m sure i m forgetting smth. here, so pls let me know how to do that. thanks!
I propose to use a dynamic salt and NOT TO STORE it anywhere, it will be re-evaluated every time login details change. Plus, a 100 pepper keys from which only a single passes
But Pepper is not how you explained it, at least not according to wikipedia en.wikipedia.org/wiki/Pepper_(cryptography) In wikipedia and other video explain pepper that is similar to salt but saved secretly in different place like config file. Personally I like the one you explained (your pepper) more than the one in wikipedia (their pepper) but it seems it's not called pepper.
When user enters password for salted password, is there an unhashing algorithm to be able to check if the salted pw in the DB matches user input? Or how is it checked?
Nice, concise video. I encountered an issue recently when copying a test environment to a dev environment and was unable to login on the dev environment using the credentials copied over from test. For reference, I was using bcrypt in NodeJS. If the salt is stored in the database as a prefix to the hashed password, why is it that I couldn't login on the dev environment?
not all heroes wear capes, some of them make good tutorials
how do you know if he is wearing a cape or not
@@subzerokar jeez you been going to finishing school
amen
Great video. Thanks man!!
that's a lot of hash at the beginning of the video
OMG I FINALLY GET IT
JEZUS CRIST IT SO COOL
I hate myself for liking encryption/computer science so much hahaha
Great Video! Srry for bad English, I have a question, ho do you get into the deta base to get the hash?
Is it more safe to hash the password 2 times? so like one to be used as salt and one to store in the database.
then if two or more users have the same password, their salts would be the same too; resulting to identical password hashes in your database.
that's one of the main things we are trying to prevent here!
and it's also a best practice to make sure the salt isn't based on the password itself in any way .
q: what do you think about hash a password with the same password as a salt.. only the user will "know" the salt and you don't need to store the salt..
That is what's called security through obscurity. It will seem very secure until one hacker anywhere in the world figures it out! If that hacker tells the world, every hacker can try cracking the passwords assuming that you used that method. Suddenly, all the people in the world who used that method have to scramble to update their system!
The best security is open source. This might seem counter intuitive but it's true. If your system is hard to crack even with the source code known, you have avoided the security through obscurity issue.
thank you soooo much 😙 i have a quiz
and I just understood
Thanks for the explanation of peppers! I didn't know that existed.
However... Every time you teach people about MD5 without explicitly warning them it's been cracked, a cryptography fairy dies.
Jeez.
I wish you taught my Comp-Sci class...
Now I get it.
Tx
&& this educational stryle vid is a nice change too.
I like when people can explain such complex things easily
There are 2 concepts of a pepper
1. What was explained here, a small random input that is iterated through when authenticating the user
2. An input like the salt but the same for every password that is stored separately to the password (sometimes, but not wisely in the code itself)
Hi, can you provide a reference to this! according to wikipedia only the 2nd one is mentioned there
en.wikipedia.org/wiki/Pepper_(cryptography)
@@digitalalpha2 If you asked me this 2 years ago I might have had an answer (or tripped over myself) but I honestly don't know what I meant with point 1 anymore.
A pepper as I know it is point 2. The key points are that it is the same for all passwords, and not stored in the database (so a breach/dump doesn't expose it)
If you're learning about password hashing I would dive into the PBKDF2 and bcrypt password hashing functions and what they do.
Awesome, clicked away, forgot to like so I went back and left a like :)
Great video. I knew about hashing and salting, but not about peppers. What do you think is better/safer? Or isn't there a "best way"?
the answer is, don't use hashes like sha1 for passwords. These hashes were not designed for passwords (read as: not designed to be inefficient and expensive to calculate). They were designed to be super fast to calculate - thus easy to bruteforce.
So it's better to use something like BCrypt, PBKDF2, etc...
Randorn Canis Thanks. I didn't even think about using both, but I think I'll take a look at bcrypt. I've heard that a lot of people use it, but I've never really tried it.
LiveOverflow Thanks. But isn't this good news? On the server side, it doesn't matter if if takes a bit longer, but if someone uses a dictionary/brute force attack, it would? Anyways, I'll try out bcrypt.
LiveOverflow You here? Cool!
Same
Great and funny video, pass: smoke weed everyday ;)
Bruteforce using quantum computer would crack this for 10s
Fantastic tutorial, thank you. I am studying for my CISSP exam and this made a lot of sense to me.
snoop dogg and ali g as your example passwords - we are brothers from separate mothers
why only 1 pepper letter? deos using like 4 letters not produce a ton more possible hashes?
but the more digits you add the average time to match the password will increase exponentially, in the example, the time it takes for a user to login would ramp up extremely fast and become impractical
Genius without education is like silver in the mine.
Baran Barış Yıldızlı what?
Thanks so much for these videos! it makes learning so much easier!
1:43 no FAILED you found password but its not correct if use multiple hashes login encrypt password sha512 then sha256 then md5. hash look md5 and if you actually found correct match that would be sha256 HASH as password it wont help bcoza login screen not let you in its wrong password.
im genious. why website still use one encrypting when they should use multiple.hacker cant know.
even password "1" is secure when hacker cant know how many times its encrypted and what order LOL
there is noway create rainbow tables with HASH sized passwords. i have spoked
Pepper is just a global password according to Wikipedia
Hmm very interesting. I'll absolutely never need to know this so i will never forget
Like & Subscribe
okay so knowing this makes me furious; iirc A PAID (WELL)
IT professional that works for a Credit Bureau used "password" as system password that allowed 150 Million credit card users to have their data breached:::
OUT(bloody)RAGEOS, CRIMINAL, & INCOMPETENT.
WTH? THEY SHOULD FACE
CLASS ACTION LAWSUITs TOTALing $Billions IMHO.
I just finished typing a long comment exposing a lot of knowledge that has no business being exposed, but then I remembered the saying "do your filth and keep your mouth shut", so I deleted it. Still, I'm itching to say, this video made me realize how narrow minded most programmers are. Which is great news for me.
Great video. 1 comment though: 3m47s "52 times longer" is only true if the attacker always guesses wrong until the last try. ;)
does pepper character is limited from a..Z and 0..1 or all character in ASCII unicode?
*sorry if my question made you confuse
The description of a pepper here is interesting, but probably not a good idea. It is better to slow down authentication using a specifically designed system like bcrypt or scrypt.
I only have one question unto those who have a high level of expertise within this field can paswords be encrypted, hashed, salted, and peppered all at the same time thus virtually making it high level to crack by third parties and online viruses etc?
Nice video! Great concept!
If anyone is thinking of implementing this into PHP as I first did, don't. It's already implemented in PHP with the function of password_hash & password_verify. Wish I knew that before I implemented it! haha
What about storing the hash of the hash of the hash....say 100 levels deep..... this also makes it computationally expensive
Very old video but you did get a couple of things wrong, or at least not cover the entire story.
for instance, a Rainbow table is not just a straight lookup table. You need to cover chains, and reduction as well to get a clearer picture.
But Kudos on the salt and pepper. Companies like joomla even got it wrong at some point using a static salt for all users. Now if your hashes are compromised, it means your db was compromised, thus said actor has the content of the configuration as well, which means they know your salt, and can use any of the existing tables and leak those users.
Honestly, we're in 2020, all reputable websites should be using brute force attack detection software.
Took you less than5 minutes to explain this topic.
My teacher had an hour and a half and I still didn't get it.
Thank you
3:53 it takes many years longer when use multiple alcorith together and even reverse hash order between. hacker have know clue
just to confirm, over http the password and the user name would be sent from the client to the server in plain text and in https (ssl) it would be encrypted? The methods detailed only help the server and database security, but the client is still very vulnerable?
You are explaining this topic to fast you need to slow down so that people can understand what you are explaining. Thanks!
i use salt, pepper and user bitcoin address. rofl, he cant understand that its half of his password and not hashed :F
Doot doot. Did I get healthy bones? Great use of memes man, very dank
Very well done ty I was confused till this point!!!
If you spell Snoop Dogg with 1 “g” you deserve to be hacked /s
Thanks for the video!
It was greatly explained!
remember:
the most secure hashing algorithm is one that is not publicly known.
I don't get how rainbow tables would not work assuming a hacker has access to the hashed password and the salt
how the users application know if it should check peppers combinations?? has it to be implemented on the front end side?
omg what is 1.56 timestamp??? I friggin LOVE IT!
I know it's weird question but does anyone know what accent is he speaking?
fifty-two times AS LONG, not fifty-two times longer.
Thank you so much, this was so easy to understand!
Are peppers used for scrypt? Whereas SHA256 lacks the pappers.
I wrote a software for storing password and I used my own hashing algorythm for the passwords becuase I don't trust others hahahahahahahaha
You are not so smart after all
Its probably really bad..
but on the plus side- it will stop attackers who just run other ppls tools that dont know ur algorithm
I always wonder if using random even stupid ways of processing a password to a hash would be relatively secure because the attacker wouldn't know what the hell he's looking at.
@@42222 security by obscuity generally isnt a good idea
@@42222 wonder no more: it would not.
ohh thanks I didn't know that online website implemented rainbow table
if hashing is always 1 to 1(a given password will always result in a given hash), why cant hackers mess around with the hashing algorithm to discover a way to un-hash strings?
also are all salts appended or can the be prepended or even put in the middle?
also also, won't rainbow tables still be of use if the hacker knows where the "junk" characters are and simply removes them from the hash + salt, as hash +salt -salt = hash?
cats are cool, so you are brother. thanks for the divine.
Hi, really good video, thanks :) !
Maybe you should go a bit slower, sometime we need to pause the video to read the screen content.
Thanks.
That's what pauses are for..
Thank you! This was explained really well, I understand it now.
How to generate the hiding password in lan mac address??
(worst case is 52 times the time it takes without a pepper)*
3:51 why would it take 52 times longer to log in ?
Excellent tutorial. More, please! 😃
Quick and simple explained. Nice video!
Please give me reply for this
Node js function
That takes following input
User ID
Username
University
Timestamp
Salt
Hash type
And returns hashed string
Do you know how to find hashes in the first place?
Hey got everything done by *Realhacker001* on iG it’s legit worldwide hackers 💯💯💯💯💯😮😮😮👂👂👂❤️❤️❤️
The Snoop Dog thing was so random
I already used hashes and salt but i m kind of confused how to use the pepper. As of rn i dont want to send a plain password to the backend so i add the salt and hash it in the frontend send it to the backend and store it there. for the login i do that comparison of the hashed password in the backend so no plain password enteres the network. however if i would already add the pepper in the frontend it would be really easy to find out. but to add it in the backend i would have to send the password plain and i really dont want that. i m sure i m forgetting smth. here, so pls let me know how to do that. thanks!
You could theoretically add the salt front end, hash once, add the pepper to the hash and hash again in the backend.
Don't use md5 to hash passwords tho...
Dude are you f**king crazy?!?!?
You just spent 4 mins clearly explaining what I have been confused about for 4 days!!!
Thank you!
can you use both salt and pepper on top of a hash
I propose to use a dynamic salt and NOT TO STORE it anywhere, it will be re-evaluated every time login details change. Plus, a 100 pepper keys from which only a single passes
salt+2nd+depoint = secure
But Pepper is not how you explained it, at least not according to wikipedia
en.wikipedia.org/wiki/Pepper_(cryptography)
In wikipedia and other video explain pepper that is similar to salt but saved secretly in different place like config file.
Personally I like the one you explained (your pepper) more than the one in wikipedia (their pepper) but it seems it's not called pepper.
thanks for the excellent resource.
When user enters password for salted password, is there an unhashing algorithm to be able to check if the salted pw in the DB matches user input? Or how is it checked?
i thought the pepper would be a joke
Nice, concise video.
I encountered an issue recently when copying a test environment to a dev environment and was unable to login on the dev environment using the credentials copied over from test.
For reference, I was using bcrypt in NodeJS.
If the salt is stored in the database as a prefix to the hashed password, why is it that I couldn't login on the dev environment?
Thanks for the explanation
Why dont we use symbols instead of letters and numbers for password security in todays day and age? It would be much much more secure whatever it is.
video was great thanks bro
Thank you for this video! Very clear explanation. You are a good teacher.
yeah, this video was really easy to understand
yeah, this video was really easy to understand
Thanks for the video! I was trying to figure out how salts were stored and you explained it perfectly
Never use standard MD5.
liked it so much, would love to see more. not even breaking any stupid RUclips laws
Finally I understand what peppers are. I was always confused and thought pepper and salt are the same
Great explanation
Liked for Ainsley
A really good video, thanks man.
that's reallt a gold content the way you explained is outstanding thanks alot bro :
)
Pswd = hash(peper(salt(userinput, SALT)));
good video 😀
what about double or triple Hashing ? ( Is it a good, or dumb idea )?
Very well explained 👏
Thank you very much 😊
smoke weed everyday
Thank you!
great explanation and easy to understand
thank you for this tutorial.
you cleared my doubt, it's very informative. thanks
Can you please provide an example in java for salt and pepper implementation
so nice😃😃
very helpful
Very very well explained. Thx so much.