(11-09-2016 05:24 PM)TechRocks Wrote: (11-09-2016 05:22 PM)georgia_tech_swagger Wrote: If that password hash wasn't also salted (notice it doesn't say it was) then the hash doesn't mean ****.
I wondered about that. Would bleachbit help?
No. Allow me to explain in more detail:
A hash is a one way function. So for example, you could use ROT13 (rotate 13 ... the old Julius Ceasar trick) as a one way hash.
password -> ROT13 -> cnffjbeq
The trouble is, if the hash isn't "salted", or in other words, have some secondary secret factor that is fed into the hash function to alter the outcome, the results are predictable.
So you may say, so what, how do you descramble that from reverse?
Well, humans suck at passwords. So step one is to take a common password (say ... password) and run it through a bunch of standard hashing algorithms and techniques, and see if what you get out of the hash appears in the compromised database in the password list. If it does (particularly a bunch of times) TAHDAH you've just busted the hash. Now it is just a matter of generating a hash for a crapload of standard/weak passwords. This is called "rainbow tables". And creating them is VERY computationally expensive, but it can be GPU and FPGA hardware accelerated to go stupid fast... I'm talking MILLIONS of hashes calculated every minute. And when you've done that ... you no longer need to reverse the hash. You just lookup a user account in the compromised database.... pull the hashed password ... and compare against your rainbow tables to find what the original password was.
And that's why you always salt your hashes. Because if you don't, it's really no better than storing in clear text. All you've done is merely inconvenience the person exploiting you.