Benjamin-Pasternak
commented
2 years ago Breaking sha256 using a dictionary attack is possible but would require gaining access to the secured database.
Open spachava753 opened 2 years ago
Benjamin-Pasternak
commented
2 years ago Breaking sha256 using a dictionary attack is possible but would require gaining access to the secured database.
symxmyz233
commented
2 years ago Thank you for your effort in finding bugs. Break SHA256 is a feasible but hard way. So, it should not be a bug here.
You mention in your README here that you are using SHA-256 for password hashing. You should also salt your passwords, or switch to using more modern password cryptographic storage algorithms mentioned here, like argon2id or bycrpt, which have salts baked in. You can see more information about un-salted password hashes and password cracking methods here: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#how-attackers-crack-password-hashes.
This is an interesting blog post about SHA-256 password hashing here: https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm