Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Tech Review article about hashing passwords

From: David Farber <dave () farber net>
Date: Wed, 04 Aug 2004 14:52:49 -0400


Begin forwarded message:

From: "Bosley, John - BLS" <Bosley.John () bls gov>
Date: August 4, 2004 1:26:40 PM EDT
To: "'Dave Farber (farber () cis upenn edu)'" <farber () cis upenn edu>
Subject: Tech Review article about hashing passwords

For IP if deemed worthy

http://www.technologyreview.com/articles/04/08/wo_garfinkel080404.asp
<http://www.technologyreview.com/articles/04/08/wo_garfinkel080404.asp>



John Bosley
Office of Survey Methods Research
Room 1950, Bureau of Labor Statistics
202-691-7514
fax 202-691-7426

Fingerprinting Your Files
"Hash" functions identify digital content with mathematical certainty—but is that enough to foil the hackers? 



By Simson Garfinkel
 The Net Effect
8/04/2004


SUMMARY PRODUCED BY OS X
Wily hackers in Russia, China, and other countries send out piles of e-mail messages looking like they came from some financial institution such as Citibank or Paypal.... You're prompted to enter a username and password and then—wham—the hacker has the keys to your bank account.
...This makes memorization easier, but it means that an unscrupulous website operator can take a list of usernames and passwords from, say, an Internet sweepstakes site and use it to try to break into online bank accounts.
So Stanford cryptographers Blake Ross, Dan Boneh, and John Mitchell have designed a clever plug-in for Internet Explorer that solves this problem by scrambling what you type into the password field so every website sees a different password—a password that’s based both on what you type and on the domain of the website itself.
...The password scrambling method that the Stanford trio has devised is based on a mathematical function called a cryptographic hash—a kind of one-way function that transforms what the user types into a jumble of numbers and letters in a way that cannot be reversed. Because the Stanford system calculates the cryptographic hash of both the website’s domain and the user’s password, the hacker gets different passwords than the legitimate ones.
...When you type your password into the login screen, your browser takes your password, appends these characters provided by Yahoo!, and calculates the cryptographic hash of the resulting string.... Even if you are at a cybercafe having your Web traffic sniffed by Belgium hackers, there’s no way for the bad guys to take the resulting hash value and derive your original password.
...So that you can get an idea of how these fingerprinting functions work, we've embedded a JavaScript-based MD5 calculator below.
...The hash functions were envisioned as a kind of cryptographic compression system—a way to take a large file and crunch it down to a short string of letters and numbers.
...Because public-key cryptography involves a lot of heavy-duty math, hash functions make it almost as fast to sign an extremely long file as to sign a short file. 

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: