|
|
Security Basics
Hashing passwords Jun 11 2012 05:33PM haZard0us (hazard0us pt gmail com) (3 replies) Re: Hashing passwords Jun 11 2012 05:55PM Ansgar Wiechers (bugtraq planetcobalt net) (2 replies) Re: Hashing passwords Jun 11 2012 07:11PM Kai Wirt (u-turn1 gmx de) (1 replies) Re: Hashing passwords Jun 11 2012 06:32PM Rory Browne (rbmlist gmail com) (1 replies) RE: Hashing passwords Jun 12 2012 01:54PM Liam Randall (Liam Randall gigaco com) (1 replies) Re: Hashing passwords Jun 12 2012 05:39PM martin mngoma gmail com (1 replies) Re: Hashing passwords Jun 12 2012 06:30PM Kai Wirt (u-turn1 gmx de) (2 replies) Re: Hashing passwords Jun 12 2012 11:07PM Kurt Buff (kurt buff gmail com) (2 replies) |
|
Privacy Statement |
> The "manuals" say that we should create a salt and then hash it. But, since calculating an hash is a "relative simple" operation (in matter of processing power), is hashing two or three times the password (hash over hash) a "kind of" secure method or it is as weak as not using salt at all?
>
Hey,
To try and help you decide on this take a look at this.
<snip>
# echo -n "secr3tp@ssw0rd" | sha1sum | awk '{ print $1 }'
466e8de9494946f7dd1f6da9f8cd5f2d703919fd
</snip>
This means that the sha1 hash of secr3tp@ssw0rd =
466e8de9494946f7dd1f6da9f8cd5f2d703919fd ( duhr :P )
Considering what password lengths cause in computation time for a
brute forcer ( using pure character brute forcing or wordlists ), here
it had to crack a 14 character password, that had no hash, and is
fairly trivial anyways.
But now lets see, hashing this again:
<snip>
# echo -n "secr3tp@ssw0rd" | sha1sum | awk '{ print $1 }' | sha1sum |
awk '{ print $1 }'
7ab66507a41193ee7e40f734cc5bad486218a7e4
</snip>
This means, the sha1 hash of 466e8de9494946f7dd1f6da9f8cd5f2d703919fd
= 7ab66507a41193ee7e40f734cc5bad486218a7e4.
Again, considering the computation time, this time round the cracker
needs to crack a 40 character password, that has no salt. This hash
meets password length requirements too no doubt :P
Adding a salt to say both of these hashes would ofc increase the
complexity even more. As mentioned earlier in the thread however, at
the cost of extra overload to your application.
So is this more secure? Not something I'm going to answer, but
hopefully it helps to understand why it can "help" :) I also don't
know how far you have to go with your rainbow tables to contain
"hashes of hashes" :D
L.
--
Sent using electronic mail
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]