Re: Re: CGI and saving passwords

Great thread, and a great comment. ++ to parent.

I would like to make one quibble. The intention of one way hashes is to have there be no known way to get the plain text back from the hash, but in the real world, evil people can be very clever, especially when there is a monetary reason to be so clever, or if someone claims "there is no way...".

IANAH (I am not a hacker) but I know that many one-way hashing cracking programs are available. They can be surprisingly successful on realworld hashes (passwords). Consequently, please remember the following limitations to one way hashes.

* Input strings should be 8 or more characters and should include numbers, symbols and capitol letters. (if not, it can more than likely be cracked).
* Using words and names as part of your passwd weakens them considerably. Using only a word is like having no passwd.
* Using "3" for e or "@" for a in your passwd won't help at all -- crackers know these tricks.

Cheers

-------------------------------------
Nothing is too wonderful to be true
-- Michael Faraday

Comment on Re: Re: CGI and saving passwords

Replies are listed 'Best First'.
Re: Re: Re: CGI and saving passwords by Anonymous Monk on May 05, 2004 at 01:44 UTC
it's true that there is nothing to stop someone from running a brute force attack on a one way hash. However, the reason that people are encouraged to occansionally use non-alphanumeric characters in passwords is simply to slow the cracker down. Using upper and lower case letters increases the number of possibilities from 26 to 52, using numbers increases it 62, using non-alphanumerics increases it again. All highly worthwhile practices. This is also the reason for having as many characters as possible in the input string and stay away from real words, both of these techniques slow down a cracker.	[reply]
Re: Re: Re: CGI and saving passwords by JoeJaz (Monk) on May 05, 2004 at 05:31 UTC
I found it quite amazing that one can find over 50MB of dictionary files on sites related to the "crack" program. I guess if you can think of a word, someone else has thought of it as well and included them in those lists. (not that I have used them in any other way than audits on my own system, but still impressive that someone has gone to the time to make those lists so large). Joe	[reply]
Re: Re: Re: Re: CGI and saving passwords by freddo411 (Chaplain) on May 05, 2004 at 18:51 UTC
The lists are so large because they include all regular words, plus every regular word with clever substitutions like s/e/3/g s/a/@/g s/l/1/g So the dictionary size grows like: orginal size * (Num of subs)^2 (I think I have that right). ------------------------------------- Nothing is too wonderful to be true -- Michael Faraday	[reply]