So, basically, prove that per-user salts and using HMAC instead of whatever still doesn't fix anything.
Example text:
A company's intranet login (accessible at hmac-password-store-intranet) was recently compromised with a SQL injection attack. They have fixed the issue since then, but the breach resulted in a complete user table dump. You can access it at hmac-password-store-csv-dump.
Fortunately, they didn't store the passwords in plaintext. It even appeared to tick all the right boxes.
- they used a cryptographically secure hash function (SHA-256).
- they used a per-user salt.
- they used HMAC to mix the salt with the password (with the salt as the key).
Log in as the admin user.
So, basically, prove that per-user salts and using HMAC instead of whatever still doesn't fix anything.
Example text:
A company's intranet login (accessible at
hmac-password-store-intranet) was recently compromised with a SQL injection attack. They have fixed the issue since then, but the breach resulted in a complete user table dump. You can access it athmac-password-store-csv-dump.Fortunately, they didn't store the passwords in plaintext. It even appeared to tick all the right boxes.
Log in as the admin user.