Posted on 08/06/2014 7:24:21 AM PDT by servo1969
A brief introduction to password hashing for the uninitiated -- and why you should never trust a site that emails your password back to you!
You make a hash of the password and store the hash. Security 101.
Nice explanation. Thanks.
Thanks for posting. I had wondered about this issue. Had the notion that they somehow did not have your actual password. Now I understand.
A "hashing function" is a mathematical algorithm that converts an input string into some other form, often for ease of lookup. The most important element of password security for hashing functions is that they are one way, that is, you can't get the original string back out of the hashed value.
When you input your password, it is hashed and checked against a table that stores the hashed value of your password, and are allowed access if they match. But the hashed value can't be used to reconstruct your password.
That is not really the whole story. If the hashing algorithm is known, and hackers steal the table of hashed passwords, they will often try hashing commonly used passwords and searching the table for matches.
In order for hashing to work, the hash for ‘test123’, ‘password’, and such commonly used passwords will always be the same. Hackers can take thousands of commonly used passwords, hash them, and get large numbers of hits on table.
The best way to avoid this is to salt the hash with something known only at the website. For example, I could take the first 3 characters of your first name, append the password to that, and then apply the hashing algorithm.
(I didn’t watch the video so excuse me if I’m making the same point)
A password should not only be hashed, it should be salted, if not salted it can be found out easily.
There are rainbow dictionaries published on the web that can “decrypt” a password.
Rainbow dictionaries work by hashing every possible combination of a set of characters.
Salting is a website adding a bit of data to the password to be encrypted.
For example:
ThisIsMyPassword
to salt it the website would add: %$&F to the password and encrypt it.
ThisIsMyPassword%$&F
I have even worked in a company where the hash was salted as well.
$password = ‘ThisIsMyPassword’;
$salt1 = ‘%$&F’; // Unique per user
$salt2 = ‘#$j@^’; // Unique per company.
$result = md5(md5($password.$salt1).$salt2);
The result would take a very very long time to try to decrypt with the rainbow method even if someone were to discover both salts.
Anyone who gets hold of the hashed value ("a#G32!n1") can't actually reconstruct my password from it, even if they know the hashing algorithm.
Now, a poor implementation that uses the exact same hash for all users, as you describe, basically becomes solvable like a cryptogram puzzle in a newspaper through the use of brute force and statistical patterns. That is, common hashes would indicate common passwords, and throwing the insecure passwords that unknowledgeable users often go with with will be enough to compromise multiple accounts. So a good hashing algorithm mixes in something else (part of the user id, whether it's the name or the internal ID number, for example) to make my "Freeper1998" hash differently from your "Freeper1998" even though they're the same password.
Gibson has a 64 digit ultra high security free password generator. Hit refresh to see new strings.
https://www.grc.com/passwords.htm
Importantly, some of the security companies have been moving *away* from such high security codes, for no clear reason, limiting their users to as few as 16 digits, which relatively speaking, is easy to crack. Many websites allow no more than 8 digits, which is just laughable.
If you have any question about Gibson’s passwords, just changing a few characters in them should resolve any problem.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.