Felix Windt
4/27/2007 8:12:00 PM
"man crypt" gives different, and better details on what hashes are used in
/etc/shadow|/etc/passwd.
A hash simply is good because a malicious user has to brute force in the
first place, and is unable to read the password without having to do further
work. It definitely doesn't take more time to brute force because the hash
is longer, as for a brute force you're generating all possible passwords and
then the hash value for them, comparing to the hash you're trying to crack.
If you use the letter "a" as your password, the hash function you run on it
can generate a hash that is 1,024 characters in length - if I brute force
the 26 letters of the alphabet and compare the results to your password
hash, it'll still at most take me 26 tries to find out you used the letter
"a". Just that a password is stored as a hash doesn't eliminate the need for
a strong password.
It's also notable that both md5 and sha1, probably the most commonly used
hashes - though some *nix still use DES for password encryption, which is
/relatively/ insecure - have been found vulnerable to collision attacks. You
may also want to read up on the birthday paradox and its relation to attacks
on hash functions. In short, while it's very, very expensive and for the
home user entirely unfeasible to attack hashes, it's not as expensive as
having to literally try every possible combination.
That concludes my nitpicking for the day. I didn't mean to be mean.
-----Original Message-----
From: ChrisKaelin [mailto:ck.stonedragon@gmail.com]
Sent: Friday, April 27, 2007 11:00 AM
To: ruby-talk ML
Subject: Re: Decode password
On 27 Apr., 11:06, chris.hulb...@gmail.com wrote:
> Thats impossible, basically. A hash is a one-way function.
> You could brute force it if you wanted, good luck waiting for
> eternity...
>
What a luck for us unix-administrators ;-)
That's why unix-passwords are so safe since many years. Even if
someone else than root can read (/etc/shadow) you can only brute-force
that stuff and that can take some time, because even if the password
is very short, the hash always is at least 13 characters long...
-----Original Message-----
From: ChrisKaelin [mailto:ck.stonedragon@gmail.com]
Sent: Friday, April 27, 2007 11:00 AM
To: ruby-talk ML
Subject: Re: Decode password
On 27 Apr., 11:06, chris.hulb...@gmail.com wrote:
> Thats impossible, basically. A hash is a one-way function.
> You could brute force it if you wanted, good luck waiting for
> eternity...
>
What a luck for us unix-administrators ;-)
That's why unix-passwords are so safe since many years. Even if
someone else than root can read (/etc/shadow) you can only brute-force
that stuff and that can take some time, because even if the password
is very short, the hash always is at least 13 characters long...