[go: up one dir, main page]

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Salting and hashing password instead of simply hashing it #1705

Open
s-celles opened this issue Oct 3, 2024 · 1 comment
Open

Salting and hashing password instead of simply hashing it #1705

s-celles opened this issue Oct 3, 2024 · 1 comment

Comments

@s-celles
Copy link
s-celles commented Oct 3, 2024

Hello,

Thanks for Dashy this is a very nice looking project. But

Hashing passwords with SHA256 alone is not sufficient for secure password storage. Here's why:

  1. Speed: SHA256 is designed to be fast, which is good for many applications but problematic for password hashing. An attacker can compute billions of SHA256 hashes per second on modern hardware, enabling rapid brute-force attacks.

  2. No salt: SHA256 doesn't inherently use a salt. Without a unique salt for each password, attackers can use rainbow tables or precomputed hash tables to crack multiple passwords simultaneously.

  3. Vulnerability to GPU/ASIC attacks: The speed of SHA256 makes it particularly vulnerable to attacks using specialized hardware like GPUs or ASICs, which can compute hashes extremely quickly.

  4. No work factor: SHA256 lacks a configurable work factor, meaning you can't easily increase its computational cost as hardware improves over time.

  5. Lack of memory-hardness: SHA256 doesn't require significant memory to compute, making it susceptible to large-scale parallel attacks.

To address these issues, it's recommended to use password hashing algorithms specifically designed for this purpose, such as:

  • bcrypt
  • Argon2
  • scrypt
  • PBKDF2

These algorithms incorporate salting, have configurable work factors, and are deliberately slow to compute, making them much more resistant to various types of attacks.

Kind regards

@CrazyWolf13
Copy link
Collaborator

Hi thanks for the concerns and writing this.

Look here for much more regarding security of this application.

https://subract.dev/posts/dashy/

I myself have stopped working on this project(I was the main reason why development even started again, but there has been no reaction from the owner since weeks/months.

Therefore I've stopped investing time into this project and switched to another solution.

Security is just too important, for it to be left aside for soo long even when the main focus of the owner is privacy & security.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants
@s-celles @CrazyWolf13 and others