in reply to Re^2: OT: Cracking hashes made easier
in thread OT: Cracking hashes made easier

Depending on what the secret is used for, that might not matter. For example, if it is a password, a hashed version of my password is stored on the server. ONLY the hash is stored, not the original password. When I try to log in, whatever I type is hashed, compared with the stored hash, and if it matches I am allowed in, regardless of whether I type "ilikepie" or "iamquicheeatinghippyscum".

Yes, that's a somewhat naïve scheme, but it serves to illustrate the point.

Replies are listed 'Best First'.
Re^4: OT: Cracking hashes made easier
by thor (Priest) on Nov 14, 2005 at 12:11 UTC
    I don't really see what the secret could be used for other than as a salt. What did you have in mind?

    thor

    Feel the white light, the light within
    Be your own disciple, fan the sparks of will
    For all of us waiting, your kingdom will come

[reply]
      uhh, a password. You know, like in: 
      login: thor
password: <-- the secret goes here

      [download]
[reply]
[d/l]
        The whole point of this exercise was to say that using only the password and something that is easily derived from the user (i.e. username) can lead to attacks. So, unless I'm missing something, the password is not sufficiently secret.

        thor

        Feel the white light, the light within
        Be your own disciple, fan the sparks of will
        For all of us waiting, your kingdom will come

[reply]

In Section Perl News