[Alcatrik]

Quote:

Originally Posted by AmigaBlizzard If the server owner doesn't hash passwords and saves them in the database unhashed, are hackers able to just read the password? If yes, why would they bother to find your password to log into your account and change data? They have direct access to your database and if they can see the unhashed password, they can also see the other data and change it without even logging in. Even when the passwords are hashed and they need to brute-force decode the password to see which password would match "drg8512gsgdrg5dr6sa4f8" (hashed password, which they took from your database), what would they need it for? They can see the hashed password so they can see the data as well, which usually isn't encoded in any way (money, score, kills, ...).

The vast, vast majority of people reuse passwords (even if they shouldn't) - meaning that there are good odds that the majority of the passwords you have stored in cleartext are probably the passwords to your user's email accounts, their social media, their Steam accounts, their banking details, etc.

This is why sites like https://haveibeenpwned.com exist and is one of the three main technical vectors I can think of for someone stealing your account; the other two being flat out bruteforcing/dictionary attacking or a keylogger.

Bruteforcing/dictionary attacking can be pretty much eliminated via the user either providing a decent password, or by the script enforcing maximum login attempts and only reporting "invalid credentials" when user/pass is wrong rather than specifying that the password is wrong (which confirms to the attacker that the username is correct and halves the challenge).

Keylogging is a lot harder to defend against - but it's typically challenged via two-factor authentication, or for example requiring the 3rd, 8th, and 11th characters from your password (which most banks now do). I'm considering on making the most senior admins on my server use two factor authentication to login, for example.

To add to SickAttack's message, salting the password not only increases the password length (which is, fundamentally, is the best tool for secure passwords), but it also ensures symbols/capitals/numbers are being used (which further increases entropy because instead of guessing between a selection of 26 characters you are guessing between a selection of close to 100), and finally in the case where the user uses a dictionary word it somewhat mitigates the issue through not making it a dictionary word (though this is still a terrible idea - as anyone who's technically equipped and really wants to get in can just adapt their attack vector to prepend the salt).