[Melbourne-pm] OT[sort of] plain hashing text passwords

Toby Wintermute tjc at wintrmute.net
Wed Oct 7 21:41:14 PDT 2009


2009/10/8 David Warring <david.warring at gmail.com>:
> This is better, but still open to compromise.
>
> The problem is that the hashing is predictable. Weaker to medium strength
> passwords can be fairly easily discovered, considered:
>
>  #!/usr/bin/perl
>  $password = "hello";
>  $sha->add($password);
>  print $sha->hexdigest;
>
> This produces: aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
>
> Try googling this! You'll see pages of matches for the hex string, from
> which you can originally discover the original password.

Well, yes, because the password was "hello". If you're using a
password like "hello" or "qwerty" or "password" then you have a bigger
problem -- someone doesn't even need to google for the password hash.
They will just try a brute-force dictionary attack and pick your
password up quickly.
Salting the hash doesn't protect against that. I think it's better to
prevent users from setting such passwords altogether.

That said, it doesn't *hurt* to salt the hash, and does have a few
benefits as you've pointed out.

Toby


More information about the Melbourne-pm mailing list