Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I am dealing with a system (in development) that uses randomly generated (not us

ID: 659368 • Letter: I

Question

I am dealing with a system (in development) that uses randomly generated (not user provided), unique, strings to authenticate services that will consuming an API. Right now, these strings are stored in the database in plain text.

I would like to understand if there is a strong reason to re-engineer this system, so that these strings are salted and hashed.

My understanding of the reasons for storing passwords only as salted hashed is as follows:

1. An attacker may gain access to your database.
2. At this point you don't have much left to loose, the attacker can already access your customer's data, and do pretty much whatever he wants. User passwords are a moot point. HOWEVER...
3. Your users may be using the same password for other things. If you don't salt and hash properly, the attacker can use the stolen credentials to gain control of other resources, that have nothing to do with your system (besides sharing the same users, with bad password habits).

In other words, the point of salting and hashing passwords is to protect users from the consequences of password reuse. In my case, however, password reuse should not be a factor.

Is there still a strong reason to modify the system to salt and hash these "passwords" as well?

Explanation / Answer

It's a fair question there are considerations you may not have thought of:

- There are ways attackers can get access to parts of your database without accessing all of it, so your point 2 isn't quite correct. Coding errors can leak data, as can sql vulnerabilities. An attacker could get a dump of your passwords and nothing else
- If you aren't storing your passcodes hashed then you probably are transmitting them in the clear in which case they could be sniffed if you are not correctly using SSL. Hashing these would provide defense in depth against attacks against transmission
- Hashing stored passwords shows due diligence and a commitment to security. If you got breached and it became known that you weren't hashing your passwords it would look bad, even if your reasoning was sound. If you were audited it would look bad as well

My advice would be to hash your passwords, it's easy enough to do and the benefit is there.

Related Questions

I am currently taking a watson analytics online course and I got the following q
Question #3885713
I am currently taking summer classes in organic chemistry 2. I am covering a uni
Question #704275
I am currently testing windows 10 technical preview. I would like to be able to
Question #657267
I am currently trying to carry out the construction of the generalised Hamiltoni
Question #2140650
I am currently trying to create a simulation using three different vector for ph
Question #3110898
I am currently trying to improve my use of exceptions, and found the important d
Question #643486
I am currently trying to learn how to use define functions using python and I am
Question #3667863
I am currently trying to print out a table on java but am having a hard time get
Question #3870705

Navigate

Previous
I am dealing with a problem in an online textbook (cramster does not have it) wh
Next
I am dealing with some old, sloppy C++ code in which there is a structure with a

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.