I know you gotta store the passwords hashed but doesn’t that just move the goalposts? How come someone can’t use the hashed end result to get into the service it was used for?
I know you gotta store the passwords hashed but doesn’t that just move the goalposts? How come someone can’t use the hashed end result to get into the service it was used for?
One thing not mentioned is that modern password hashing algorithms will iterate your password hundred of thousand of times. This makes cracking the hash much more time intensive. For example if 1 hash takes 1ms (most hash algorithms are way quicker), then 1000 iterations of that means it will take 1 second to compute your hash from the input. The server has to spend that time to validate your password when you login, but that’s a small tradeoff to make brute force attempts which will now have to calculate 1000x hashes for each input.
We updated to the NIST recommendation of 600000 iterations a few years ago when it was released, with regular increases every year. Logins take upwards of 5 seconds but it’s added security in the event the data is leaked.