salting your hashes
No, this is not a post about cooking or preparing hashbrowns. Rather, this is a post about 2 of my pet peeves -- unsecure systems and weak passwords. It is quite unsettling to know that a simple google search for the term
5f4dcc3b5aa765d61d8327deb882cf99
will bring thousands of websites, sometimes showing *nix passwd files. Why they're in public domain? I don't know why.
What is the significance of 5f4dcc3b5aa765d61d8327deb882cf99 you say? Well, the string shown above is the MD5 hash of the word 'password'. MD5 is a cryptographic hash function which outputs a 128-bit hash value for any given sequence of bytes -- as short as a character string or as large as a file.
Eg.
md5_hash("password") = 5f4dcc3b5aa765d61d8327deb882cf99
md5_hash("hax0r") = b2a2420416e7b66308f9abb786f973da
md5_hash("apples") = daeccf0ad3c1fc8c8015205c332f5b42
The algorithm for deriving the 128-bit output hash from a sequence of bytes is best described here:
http://en.wikipedia.org/wiki/MD5
But in a nutshell, MD5 is like baking. You have ingredients (apples), perform certain operations, peel, chop, boil, etc, then bake, you get apple pie -- or a hash.
Like MD5, you cannot get the original "apples" from the hash, it is mathematically irreversible. That is why it is the ideal kind of data to store as passwords-- you can see it, but you don't understand what it means. Modern operating systems usually store passwords this way and to authenticate the user, the OS doesn't decrypt the password in the password database, conversely, it encrypts the user input and compares it to the stored hash. But I digress.
Anyway, there have been a growing amount of users building MD5 hash dictionaries (ie gdataonline.com) wherein it claims to "crack" MD5 hashes. Nothing wrong with that, except if you use it for the the wrong reasons. True, it does translate your MD5 hashes to it's original form, but it doesn't do it mathematically, the magic is just a simple database lookup of common dictionary words vs its MD5 hash, nothing more.
Which now brings me to the title of this blog entry, salting your hashes. Salting in essence means adding a "secret" sequence of bytes to whatever string you hash to make it less prone to brute force dictionary attacks.
Eg.
md5_hash("XXapplesYY") = 7379d49b310a2d866a4ddf79bd5f09cc
In the above example, XX and YY are my salts.
Salting is but one of the hundreds, if not thousands of ways in securing passwords in applications or websites you're developing. In ensuring that techniques like the ones shown above are employed, we make the net a bit safer for everyone.
bd
9/7/05
5f4dcc3b5aa765d61d8327deb882cf99
will bring thousands of websites, sometimes showing *nix passwd files. Why they're in public domain? I don't know why.
What is the significance of 5f4dcc3b5aa765d61d8327deb882cf99 you say? Well, the string shown above is the MD5 hash of the word 'password'. MD5 is a cryptographic hash function which outputs a 128-bit hash value for any given sequence of bytes -- as short as a character string or as large as a file.
Eg.
md5_hash("password") = 5f4dcc3b5aa765d61d8327deb882cf99
md5_hash("hax0r") = b2a2420416e7b66308f9abb786f973da
md5_hash("apples") = daeccf0ad3c1fc8c8015205c332f5b42
The algorithm for deriving the 128-bit output hash from a sequence of bytes is best described here:
http://en.wikipedia.org/wiki/MD5
But in a nutshell, MD5 is like baking. You have ingredients (apples), perform certain operations, peel, chop, boil, etc, then bake, you get apple pie -- or a hash.
Like MD5, you cannot get the original "apples" from the hash, it is mathematically irreversible. That is why it is the ideal kind of data to store as passwords-- you can see it, but you don't understand what it means. Modern operating systems usually store passwords this way and to authenticate the user, the OS doesn't decrypt the password in the password database, conversely, it encrypts the user input and compares it to the stored hash. But I digress.
Anyway, there have been a growing amount of users building MD5 hash dictionaries (ie gdataonline.com) wherein it claims to "crack" MD5 hashes. Nothing wrong with that, except if you use it for the the wrong reasons. True, it does translate your MD5 hashes to it's original form, but it doesn't do it mathematically, the magic is just a simple database lookup of common dictionary words vs its MD5 hash, nothing more.
Which now brings me to the title of this blog entry, salting your hashes. Salting in essence means adding a "secret" sequence of bytes to whatever string you hash to make it less prone to brute force dictionary attacks.
Eg.
md5_hash("XXapplesYY") = 7379d49b310a2d866a4ddf79bd5f09cc
In the above example, XX and YY are my salts.
Salting is but one of the hundreds, if not thousands of ways in securing passwords in applications or websites you're developing. In ensuring that techniques like the ones shown above are employed, we make the net a bit safer for everyone.
bd
9/7/05
posted by BigD at
4:12 PM
0 Comments:
Post a Comment
<< Home