Lissy93/dashy

Salting and hashing password instead of simply hashing it

Opened this issue · 1 comments

Hello,

Thanks for Dashy this is a very nice looking project. But

Hashing passwords with SHA256 alone is not sufficient for secure password storage. Here's why:

  1. Speed: SHA256 is designed to be fast, which is good for many applications but problematic for password hashing. An attacker can compute billions of SHA256 hashes per second on modern hardware, enabling rapid brute-force attacks.

  2. No salt: SHA256 doesn't inherently use a salt. Without a unique salt for each password, attackers can use rainbow tables or precomputed hash tables to crack multiple passwords simultaneously.

  3. Vulnerability to GPU/ASIC attacks: The speed of SHA256 makes it particularly vulnerable to attacks using specialized hardware like GPUs or ASICs, which can compute hashes extremely quickly.

  4. No work factor: SHA256 lacks a configurable work factor, meaning you can't easily increase its computational cost as hardware improves over time.

  5. Lack of memory-hardness: SHA256 doesn't require significant memory to compute, making it susceptible to large-scale parallel attacks.

To address these issues, it's recommended to use password hashing algorithms specifically designed for this purpose, such as:

  • bcrypt
  • Argon2
  • scrypt
  • PBKDF2

These algorithms incorporate salting, have configurable work factors, and are deliberately slow to compute, making them much more resistant to various types of attacks.

Kind regards

Hi thanks for the concerns and writing this.

Look here for much more regarding security of this application.

https://subract.dev/posts/dashy/

I myself have stopped working on this project(I was the main reason why development even started again, but there has been no reaction from the owner since weeks/months.

Therefore I've stopped investing time into this project and switched to another solution.

Security is just too important, for it to be left aside for soo long even when the main focus of the owner is privacy & security.