[Melbourne-pm] OT[sort of] plain hashing text passwords

David Warring david.warring at gmail.com
Wed Oct 7 21:35:27 PDT 2009


This is better, but still open to compromise.

The problem is that the hashing is predictable. Weaker to medium strength
passwords can be fairly easily discovered, considered:

 #!/usr/bin/perl
 $password = "hello";
 $sha->add($password);
 print $sha->hexdigest;

This produces: aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d

Try googling this! You'll see pages of matches for the hex string, from
which you can originally discover the original password.

This type of attack can be thwarted by salting the password, ie prepending
some random characters to both the input string and output digest:

See http://www.perlmonks.org/index.pl?node_id=469789 for an example that
combines SHA digests with salting.

Cheers
David

On Thu, Oct 8, 2009 at 2:10 PM, Toby Wintermute <tjc at wintrmute.net> wrote:

> 2009/10/8 John Thornton <jdthornton at ozemail.com.au>:
> >                          So, does anyone here know how to
> > hash/encrypt/disguise passwords that are in plain text, as the password
> is
> > on my computer in the .yml file.
>
> use Digest::SHA;
> my $password = "secret_password";
> my $sha = Digest::SHA->new;
> $sha->add($password);
> print "My hashed result is: " . $sha->hexdigest ."\n";
> _______________________________________________
> Melbourne-pm mailing list
> Melbourne-pm at pm.org
> http://mail.pm.org/mailman/listinfo/melbourne-pm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.pm.org/pipermail/melbourne-pm/attachments/20091008/57d4a302/attachment.html>


More information about the Melbourne-pm mailing list