Storing Hash (password + static salt) = HASHnew (lets say) in database is a bad idea. If the database is compromised, the attacker can use that static hash value (i.e.HASHnew) and pass it through MiTM to get authenticated.
problem is, if one of mangadex user uses a password that he has in his dictionnary, he would be able to find all the other passwords using their hash. He just has to find one match to get all the others (I guess, the video does'nt make that point very clear but, I assume that is the way it works)
It doesn't seem to be active tho and even when it was active it seemed to be a mix of conferences and someone's garbage bin, this seems like the most useful thing on it. Nice to have this though since clicking around all the other videos on this are needlessly complicated (one even turning "what is plain text?" into a drawn out and complicated explanation, wtf)
From what I understand: "abc123" + "salt" => [bcrypt] => "ab7qru.." Salt can be any string of characters and is protection against dictionary attacks (hackers generate a dictionary of common passwords and test it against the database). Generally, salt is unique for each user taking account their join-date, their age, etc. If we take that into account, it can turn into: [salt] = [join date] + [age] ^ 2 [password-digest] = bcrypt([password] + [salt]) TLDR = It takes a long time to decrypt a single password from a single account.
@@AJ-po6up even if they try to use it on other website, the most they'd get out of it would be some edgy comment list I made years ago. Nothing of value was lost. That's why I always use my leaked password for non crucial websites lol.
A dictionary attack is specifically a brute force attack using dictionary terms. A look up table of hashes is know as a rainbow table. Some rainbow tables are produced using a dictionary attack. A salt should be unique to each user. Salts make it hard to produce a rainbow tables because you would have to create a different rainbow table for every possible salt. So it's every possible password times every possible salt.
Something he didn't mention is that you typically generate a salt _per password_. That means that generating the hash dictionary (or "rainbow table" as they're typically called) is impossible to generate in the first place. This means that cracking each password is _even slower_ because two users who have the same password, will have different password digests, because they have different salts
This video makes it seem like you use a single salt for all users, which you must not do! Instead you should give each user their own random salt and store it with the user in the database. That way an attacker has to create a separate dictionary for each user. Additionally, same hashed passwords are different for different user. So even if Alice and Bob use the same password, this is then not apparent in the database because the hash still differ.
Thanks for this video. I finally understood how bcrypt works, especially the part about salts. One of the main advantages of bcrypt is that it cannot go obsolete as computers become faster because you just have to increase the number of rounds of hashing. When first released in 1999, the recommended number of rounds was 2^6...not you should use 2^15 for increased security.
Basically this video has a wrong title, because you don't explain any factors as to why bcrypt is slow, so any algorithm could have been used and therefore this video shoulda been called: how hashing passwords work integrated with salt (loosely explained). - I came here to find info on bcrypt, and there was none cept "it's slow".
the hackers really fucked up my fav manga website. This is a new low hackers. A new low, why can't you hack some real life things like billboards. And I finally found another website to read manga on. :(
I did not plan to do this but my mangadex gmail acc is the same as my facebook gmail lol and someone tried to change my password, jokes on you hacker, for every site I use a different password even I forget about them
I'm pretty sure it's slow because it probably uses multiple Salts before and after the hash and is unique for every user other than that if one found out about the Salt well then wouldn't the entire Bcrypt database be comprised?
BCrypt uses a single per-user salt. You just hash it over and over again to slow the hashing process. The salt is actually embedded in the hash itself with the work factor (Format looks like $bcryptVersion$workFactor$saltHash) so you do have the salt for everyone. But that means you can't bruteforce all your database with that salt, only a single user.
Okay, so it's "designed" to be slow, but how does one do that? Surely it's not as easy as inserting a ton of WAIT clauses or somesuch that someone else compiling the algorithm for themselves could just take out and/or something easily alleviated by throwing ever more computation power at it thanks to Moore's, right?
The hashing algorithm takes computational work, which takes time. It's designed to be slow by just doing more and more computational work, the attacker knows the exact computations he needs to do to get the same hash, but he needs to do it on every password he tries to guess. So if the computation takes 10 seconds, then each guess of his will cost him 10 seconds which he will have to go through for each of his guesses.
I came to know about algorithm of bycrypt hash but I didn't found anything that helps me you only told what every hashing algorithms do I know more on that this is not bcrypt
nice video, and also hello fellow mangadex users.
Hello, mangadex user here.
Grating cheese fellow mangadex user
Hello frens
Greetings, fellow mangadex users.
Hello
exceeded my expectations
Nice explanation.
Very clear thanks
Thanks for a great explanation!
nice, very informative
what if you hash the hash and the salt?
Storing Hash (password + static salt) = HASHnew (lets say) in database is a bad idea. If the database is compromised, the attacker can use that static hash value (i.e.HASHnew) and pass it through MiTM to get authenticated.
salt is not static but random
The difference is... never use MD5 ;)
Imagine suddenly getting views flood because manga website recommends your video :)))
stonks
thanks a lot ❤️❤️
Hello Mangadex people
The title is misleading. It explains nothing about working of bcrypt.
I'm bob :c
What about bcrypt? Change title it’s misleading
Views are gonna go stonks, now that mangadex promoted it
same i came from there 😂
Stonks
I also came from there 😂😂
Pretty sure we all came here because we were bored
STONKS
whew, im safe. my password is way too weeb to be in any dictionary.
same
Joke's on you, the hackers are weebs, too.
meaning?
Mine's too personal so it might as well be random
problem is, if one of mangadex user uses a password that he has in his dictionnary, he would be able to find all the other passwords using their hash. He just has to find one match to get all the others (I guess, the video does'nt make that point very clear but, I assume that is the way it works)
This was actually really interesting. Thanks mangadex 😂
no one cares
Came because of mangadex, stayed because of the easy to understand explanations. I can foresee myself coming to this channel a lot 😲
It's dead tho.
It doesn't seem to be active tho and even when it was active it seemed to be a mix of conferences and someone's garbage bin, this seems like the most useful thing on it. Nice to have this though since clicking around all the other videos on this are needlessly complicated (one even turning "what is plain text?" into a drawn out and complicated explanation, wtf)
Mangadex users👀
I just wanted a site to read some manga , how did I get here lmao
i get none of this but i feel safer now thanks mangadex
From what I understand:
"abc123" + "salt" => [bcrypt] => "ab7qru.."
Salt can be any string of characters and is protection against dictionary attacks (hackers generate a dictionary of common passwords and test it against the database). Generally, salt is unique for each user taking account their join-date, their age, etc. If we take that into account, it can turn into:
[salt] = [join date] + [age] ^ 2
[password-digest] = bcrypt([password] + [salt])
TLDR = It takes a long time to decrypt a single password from a single account.
haha jokes on the mangadex hackers, my password was already leaked along with my username on compromised password list.
Exactly, mine has been leaked and in the wild since 2010, so it's old news! there's nothing of value behind that password.
@@AJ-po6up even if they try to use it on other website, the most they'd get out of it would be some edgy comment list I made years ago. Nothing of value was lost. That's why I always use my leaked password for non crucial websites lol.
Nice explanation of password hashing and salts, but I have to admit I came here looking for an explanation of bcrypt specifically.
A dictionary attack is specifically a brute force attack using dictionary terms. A look up table of hashes is know as a rainbow table. Some rainbow tables are produced using a dictionary attack. A salt should be unique to each user. Salts make it hard to produce a rainbow tables because you would have to create a different rainbow table for every possible salt. So it's every possible password times every possible salt.
I'm here bcoz of what happened to mangadex,..😭😭😭😭
this man must be confused with the mangadex comments
Something he didn't mention is that you typically generate a salt _per password_. That means that generating the hash dictionary (or "rainbow table" as they're typically called) is impossible to generate in the first place.
This means that cracking each password is _even slower_ because two users who have the same password, will have different password digests, because they have different salts
Thanks for the video and i want to thank MangaDex team for introducing me to this channel
This video makes it seem like you use a single salt for all users, which you must not do! Instead you should give each user their own random salt and store it with the user in the database.
That way an attacker has to create a separate dictionary for each user. Additionally, same hashed passwords are different for different user. So even if Alice and Bob use the same password, this is then not apparent in the database because the hash still differ.
Please change the title to hashing and password security. "bcrypt" in title is misleading, I thought it explains about bcrypt working!
Ok, so Mangadex is using an enigma machine. Got it.
haha
From mangadex✌🏻
A BCrypt hash includes salt and as a result this algorithm returns different hashes for the same input..
Shit now i dont Remember what my password to mangadex was :/ Is three any way to show it now?
if your on chrome go to settings then passwords
it's 2021 use a password manager goddammit!
dont feel as scared about the mangadex leak now
Thanks for this video. I finally understood how bcrypt works, especially the part about salts. One of the main advantages of bcrypt is that it cannot go obsolete as computers become faster because you just have to increase the number of rounds of hashing.
When first released in 1999, the recommended number of rounds was 2^6...not you should use 2^15 for increased security.
haha i don’t know my password so they can’t get my account haha take that hackers now let me read jojo
Moi j'ai un mot de passe diffèrent pour chaque site avec une adresse email fausse et un nom original/20
i was panicking because i thought i wasn't going to be able to read the new part 8 chapter
Thank god I read JOJO with no email in mangadex. Nice video btw.
Cartoon > Animation > Anime > OPM > Mangadex > Hack Reactor
Great Journey so far, learned a lot.
My 4 months security class in 7 minutes
I feel personally attacked... Thanks for the explanation tho.
so if you use an uncommon password then they wouldn't have it in their dictionary and you'd be safe?
No, it should be unique. Like a project/operation name, with numbers (birthday date, or other for you meaningful dates).
THANK GOD I USED A GOOGLE RECCOMENDED PASSWORD
Is my Crunchyroll safe😭😭
ohh, the reason is really-really great and so funny for me 😂😂
don't share your worthless thoughts
5:18 so... basicly it is like elimination in algebra, hahaha
i just wanted to read part 7
I was panicking because i thought I couldn't read the new part 8 chapter
thank god i read it on mangadex a year ago
My name isn't bob.
I am bob.
Basically this video has a wrong title, because you don't explain any factors as to why bcrypt is slow, so any algorithm could have been used and therefore this video shoulda been called: how hashing passwords work integrated with salt (loosely explained). - I came here to find info on bcrypt, and there was none cept "it's slow".
Isn't that a rainbow table? I thought a dictionary attack was when you bruteforce using common words instead of individual characters.
They made a api but I can’t use it cause I can only read on mobile at the time and idk if the website is going up anytime soon :(
in 6:00, why hacker compromise the password will compromise the salt? And how can hacker compromise the password??
Brute force, rainbow, dictionary
Hey its sketchbook
The best explanation i have watch on Bcrypt functionality. Thanks
the hackers really fucked up my fav manga website.
This is a new low hackers. A new low, why can't you hack some real life things like billboards.
And I finally found another website to read manga on. :(
............which is??? (what's the name of the site)
How can the hacker take the salt from an hash? That should be not possible? At 6:00 in video...
Slightly off topic but
As a mangadex user, is there anything i should do??
Why didn't I know about this in my college days?
Now I feel like an idiot using md5 to encrypt my projects...
Depending on how old you are, md5 would've been fine for the computing power of the day
Hack Reactor must be a bit confused with sudden views increase.
I WANT THIS OFF OF MY RUclips. It won't let me delete it!!!!
what are you a smart user or not so smart user?
im a not so smart user, rip mangadex account, rip life
But if I didn't sign up to the website and the website got hacked then am I safe or not?
mangadex is way more responsible with their security than most corporations are
welp... gotta change my password with associated accounts now... sigh..
I did not plan to do this but my mangadex gmail acc is the same as my facebook gmail lol and someone tried to change my password, jokes on you hacker, for every site I use a different password even I forget about them
lmao tbh relate, I've lost like 30% of accounts I've made as a kid on kiddie flash game websites
Where is my MANGA AAAAAAAAAAAAAAAAAAAAAAAAAAAHHHHHHHHHHHHH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
How are you writing so good with a mouse. WTH
Poor Mangadex :(
Where do you read your manga now?
Mangasee ig
I used to read from the scanlators' respective websites, but I recently found Manganeko.net and it has no ads so its pretty good.
Do hackers use Chinese words. To know the password? With my ex girlfriend number?
yes they know Chinese and they also know your ex girlfriend, I'm sorry but you're fooked.
i came here from mangadex
lets be real we are all bob (im coming from mangadex btw)
im sad to say
i am a bob
but im also happy to say that now i am an alice
Yahhhhhhhhhhh so I'm ah go and start to change all my password
I'm pretty sure it's slow because it probably uses multiple Salts before and after the hash and is unique for every user other than that if one found out about the Salt well then wouldn't the entire Bcrypt database be comprised?
BCrypt uses a single per-user salt. You just hash it over and over again to slow the hashing process. The salt is actually embedded in the hash itself with the work factor (Format looks like $bcryptVersion$workFactor$saltHash) so you do have the salt for everyone. But that means you can't bruteforce all your database with that salt, only a single user.
Nice Explaination. Thank You.
Okay, so it's "designed" to be slow, but how does one do that? Surely it's not as easy as inserting a ton of WAIT clauses or somesuch that someone else compiling the algorithm for themselves could just take out and/or something easily alleviated by throwing ever more computation power at it thanks to Moore's, right?
The hashing algorithm takes computational work, which takes time. It's designed to be slow by just doing more and more computational work, the attacker knows the exact computations he needs to do to get the same hash, but he needs to do it on every password he tries to guess.
So if the computation takes 10 seconds, then each guess of his will cost him 10 seconds which he will have to go through for each of his guesses.
@@jellyrabbits375 Appreciate the response, but it didn't actually explain anything. Just said the same things with different words.
Video: but bob is not so smart
Me: oh that's me
My overthinking saved me this time.
Does bcrypt uses salt to hash password ?
Mangadex view wave
Why BCrypt is better 6:02
so we all came from mangadex huh
I think he will promote l@st pas😆 for storing password but I'm wrong when look at the videos upload times.... 😄
I'm glad...
Great video, thanks!
hello fellow mangadex people...
But really, mangadex. This is the first time that I signed up to a website and got hacked where our PWs and IPs were leaked. How careless of them.
70k
Nice video good that i used a dumpster mail for mangadex but not so good that i don't have access to the dumpster mail anymore after their hack.
thot This was another rick roll (hello there fellow mangadex user)
This answered my questions and then some, thank you!
I want mangadex back
Hello just a thought to my self, what will happen if we encrypt both email and password before storing it in the database?
I came to know about algorithm of bycrypt hash but I didn't found anything that helps me you only told what every hashing algorithms do I know more on that this is not bcrypt
yes hello from mangadex
i got pwned D:
Awesome explanation!
lie