Security Basics mailing list archives
Re: Hashing passwords
From: Leon Jacobs <leonja511 () gmail com>
Date: Wed, 13 Jun 2012 14:02:14 +0200
On Mon, Jun 11, 2012 at 7:33 PM, haZard0us <hazard0us.pt () gmail com> wrote:
The "manuals" say that we should create a salt and then hash it. But, since calculating an hash is a "relative simple" operation (in matter of processing power), is hashing two or three times the password (hash over hash) a "kind of" secure method or it is as weak as not using salt at all?
Hey, To try and help you decide on this take a look at this. <snip> # echo -n "secr3tp@ssw0rd" | sha1sum | awk '{ print $1 }' 466e8de9494946f7dd1f6da9f8cd5f2d703919fd </snip> This means that the sha1 hash of secr3tp@ssw0rd = 466e8de9494946f7dd1f6da9f8cd5f2d703919fd ( duhr :P ) Considering what password lengths cause in computation time for a brute forcer ( using pure character brute forcing or wordlists ), here it had to crack a 14 character password, that had no hash, and is fairly trivial anyways. But now lets see, hashing this again: <snip> # echo -n "secr3tp@ssw0rd" | sha1sum | awk '{ print $1 }' | sha1sum | awk '{ print $1 }' 7ab66507a41193ee7e40f734cc5bad486218a7e4 </snip> This means, the sha1 hash of 466e8de9494946f7dd1f6da9f8cd5f2d703919fd = 7ab66507a41193ee7e40f734cc5bad486218a7e4. Again, considering the computation time, this time round the cracker needs to crack a 40 character password, that has no salt. This hash meets password length requirements too no doubt :P Adding a salt to say both of these hashes would ofc increase the complexity even more. As mentioned earlier in the thread however, at the cost of extra overload to your application. So is this more secure? Not something I'm going to answer, but hopefully it helps to understand why it can "help" :) I also don't know how far you have to go with your rainbow tables to contain "hashes of hashes" :D L. -- Sent using electronic mail ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Hashing passwords, (continued)
- Re: Hashing passwords Kurt Buff (Jun 13)
- Re: Hashing passwords Alexander Klimov (Jun 13)
- RE: Hashing passwords Mikhail A. Utin (Jun 13)
- Re: Hashing passwords Kai Wirt (Jun 13)
- Re: Hashing passwords Kai Wirt (Jun 11)
- Re: Hashing passwords gold flake (Jun 12)
- Re: Hashing passwords Kai Wirt (Jun 12)
- Message not available
- Re: Hashing passwords Jennifer Wachter (Jun 12)
- RE: Hashing passwords Dave Kleiman (Jun 12)