Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: virgil283
i don't know what you mean, could you explain?

A "hashing function" is a mathematical algorithm that converts an input string into some other form, often for ease of lookup. The most important element of password security for hashing functions is that they are one way, that is, you can't get the original string back out of the hashed value.

When you input your password, it is hashed and checked against a table that stores the hashed value of your password, and are allowed access if they match. But the hashed value can't be used to reconstruct your password.

6 posted on 08/06/2014 7:48:37 AM PDT by kevkrom (I'm not an unreasonable man... well, actually, I am. But hear me out anyway.)
[ Post Reply | Private Reply | To 3 | View Replies ]

To: kevkrom

That is not really the whole story. If the hashing algorithm is known, and hackers steal the table of hashed passwords, they will often try hashing commonly used passwords and searching the table for matches.

In order for hashing to work, the hash for ‘test123’, ‘password’, and such commonly used passwords will always be the same. Hackers can take thousands of commonly used passwords, hash them, and get large numbers of hits on table.

The best way to avoid this is to salt the hash with something known only at the website. For example, I could take the first 3 characters of your first name, append the password to that, and then apply the hashing algorithm.


7 posted on 08/06/2014 8:01:41 AM PDT by proxy_user
[ Post Reply | Private Reply | To 6 | View Replies ]
To: kevkrom

(I didn’t watch the video so excuse me if I’m making the same point)

A password should not only be hashed, it should be salted, if not salted it can be found out easily.

There are rainbow dictionaries published on the web that can “decrypt” a password.

Rainbow dictionaries work by hashing every possible combination of a set of characters.

Salting is a website adding a bit of data to the password to be encrypted.

For example:
ThisIsMyPassword

to salt it the website would add: %$&F to the password and encrypt it.

ThisIsMyPassword%$&F

I have even worked in a company where the hash was salted as well.

$password = ‘ThisIsMyPassword’;
$salt1 = ‘%$&F’; // Unique per user
$salt2 = ‘#$j@^’; // Unique per company.

$result = md5(md5($password.$salt1).$salt2);

The result would take a very very long time to try to decrypt with the rainbow method even if someone were to discover both salts.


8 posted on 08/06/2014 8:08:24 AM PDT by the_boy_who_got_lost (Real men scare liberals)
[ Post Reply | Private Reply | To 6 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson