Crypto, hashes and password questions, total noob?

Question

I\'ve read several stackoverflow posts about this topic, particularly this one:

Secure hash and salt for PHP passwords

but I still have a few questions, I ne

Answer 1

The security of cryptographic algorithms is always in their secret input. Reasonable cryptanalysis is based on an assumption that any attacker knows what algorithm you use. Good cryptographic hashes are non-invertible and collision resistant. This means that there's still a lot of work to do going from a hash to the value that generated it, regardless of whether you know the algorithm applied.

1. If you used a secure hash, access to the hash, salt, and algorithm will still leave a lot of work for a would-be attacker.
2. Yes, a secure hash puts a very hard to invert algorithm on your side. Note that this inversion is not 'reverse-engineering'
3. The weak link is probably the processes and procedures that get those password hashes into the database. There are all sorts of ways to screw up and store sensitive data in the clear.

As I noted in a comment, there are attacks that these measures defend against. First, knowing the password may lead to authorization to do things beyond what the contents of the database suggest. Second, those passwords may be used elsewhere, and you expose your users to risk by revealing their passwords as a result of a break-in. Third, with hashing, an insider can't exploit read-only access to the database (subject to less auditing, etc.) to impersonate a user.

Dictionaries and rainbow tables are techniques for accelerating hash inversion.