Hak5
Save 10% at GoDaddy.com with coupon code HAK

Password hashes

From Hak5

Jump to: navigation, search

Password hashes are encrypted passwords created using encryption methods designed to aid in securing a system or resource, i.e. to add increased security to users of a publicly accessible server.

Contents

Creation

When a password is created, a secure system will immediately take the plaintext password and encrypt it using one of several algorithms. This creates added security because a user with access to the storage facility where these passwords are held (like a MYSQL database or SAM file) cannot simply open it and read the plaintext passwords. For example, the plaintext 'hak5' can be MD5-hashed into 'CE1B09AE5EC7956FFA96BDA839FE50C7'. Note that this hash makes it increasingly difficult to determine what the real password is, because it canot be seen

Common Algorithms

There are plenty of algorithms available; here is but a short list of examples:

  • DES
  • Blowfish
  • MD5
  • LM/NTLM

Weaknesses

While hashes are a vast step up from storing plaintext, they have several weaknesses. A few of the more considerable ones are mentioned here, but you should note that with time and effort almost all hashes can be reversed.

The first weakness would be bruteforcing. Like any other method requiring user input, bruteforcing is quite applicable. With access to the application using the password, or the storage facility where the passwords are stored (using the hash itself) as well as knowing the encryption method used, a malicious user can calculate the password by attempting every possible combination of passwords until a correct solution is found. Bruteforcing is quite time- and resource-intensive, requiring a large amount of time and computing power. For this reason, other methods such as rainbow tables have been developed. For more on rainbow tables, see the proper article.

An uncommon, but still notable weakness of password hashes is hash collision. In a collision, the hash resulting from one cleartext password would be the same hash for a completely different cleartext password. While modern encryption systems are designed to try to avoid such a problem, it still exists because of the mathematics involved in the hashing. When such a hash is attacked, either of the colliding passphrases can be used to gain entry.

Exploration

If you are interested in exploring hashes and encryption more thoroughly on your own, you can use the following links below to learn more.

  • http://www.h26easy.org/software - Nick Tabick's Software Library, home of TENcryptor, MD5HashGen, and BlowfishGen, applications designed to explore or generate hashes or encrypted text
Retrieved from "http://wiki.hak5.org/wiki/Password_hashes"