Heartbleed Bug
-
You seem to misunderstand how passwords work. Every server hashes your password, that is why your password has to be cracked in the first place. If it was stored in plaintext, they could just extract the password from the server. Instead, they have to try and crack your pass be hashing candidate passwords until they find one with a matching hash. Thus, entropy doesn't change at all.
If you are talking about hashing a password, and then using the hash as your password, seems like a really bad idea. Hashing mechanisms are not designed to be applied more than once, and while there would probably be no issue, there is still the chance that repeatably hashing a pass leads to a vulnerability in the hashing mechanism. It is better to just let the server hash your pass (like they already do).
-
Yes, but a hashing algorithim creates a string of numbers specific to that word, while having extreme entropy. Each letter/number generated is pseudo-random, hence confusing crackers. Yes, it is easier to crack a stolen hash, but that's not what the average user should worry about. Servers encrypt passwords in SHA1. New ones, at least. If it still uses MD5, shame on them. I was suggesting hashing in SHA512, having 128 characters and being uncrackable.
-
Hashing does not magically create huge amounts of extra entropy. If a cracker is just trying straightforward alphanumeric brute force, then yes using the hash instead does make it more difficult. But if hashes are used as passwords by enough people, crackers will just, in addition to trying every possible password, try the hash of every possible password. The number of possibilities for the hash is not the total number of possible hashes, but the total number of possibilities for the password that gets hashed.
A better idea is to use a password manager (I use KeePassX). That way you can use different random passwords that are as long as you like for every website, and you only have to remember one password (though it should be a strong one, since it protects all your other passwords).
Edited once by jacksonmj. Last: 23rd Apr 2014 -
@OC39648 (View Post)
let's see what when this hashes is combined: MD5, SHA1 and SHA512.
normal- rocket
MD5- fdfedc01c66e9ea2817508ca1097df2f
MD5+SHA1- 5737b671c90a4aa90bd874a9e5541edf9ed6b811
SHA1- ef89a3a842b0384565a210f0122804f411fe51fb
SHA1+MD5- 8090c6b3cd9f06cdcc7d142a847d8fb0
SHA512- 31b1a0e56b67b0f4845a8dd66707be0fb74c7c0cf32295c4461731e9f376cb645165ed2769a25b214587cf455cf697fa05407fb 5b51122835234457d40dcc9fe
SHA1+SHA512- e6dc3c8d6cfa1c3b063f7699310ba63bf21a9b97a77d544840209e88584a90e7f9be0eda138af1a0d10a9ca3676c6729ab612 d8fd13f331ec6f3d03d03a825a0
MD5+SHA512- 6c0487f251fccbf5e54b31e2025c4c657e5b30aea6d23a41842652a3e77fcfe3ab5383491c07943156e95278aad3ba9bd6e69 ecd7b4ad6d348c4e66b63c01d4a
MD5+SHA1+SHA512- d050bb956a056580ef4edffa524b0ab057acdf5e704ed1dcf1b6e532af6e9be543ceac29e782bd964fd20d4df34b6a9858019d 7d49cffea6aad8ddad057ee452
SHA1+MD5+SHA512-
9c9afead727fa4218e24032ed1c6b375fe5311b4c002bc6cadf2a5a76ca0e2328a798248c638c26a3a82accc41a57ea4561c6 bf97359dfd53e17d21086fa853b
that is from one word: rocket. try it here: http://www.sha1-online.com/ EDIT: had to space some words. it is split now.
@jacksonmj (View Post)
even if that happens, crackers normally try every hash from normal letters, but not hash the hashed letters.Edited once by h4zardz1. Last: 23rd Apr 2014 -
> pseudo-random, hence confusing crackers
No, hashes are the opposite of random.
Yes, we all know how a hashing algorithm works.
No, that is not how cracking works.
Entropy is based solely on character set and length (and sometimes words if the attacker is using a dictionary attack. (a password of “password” has no entropy, for example)). Taking into account that a hash is outputted in hex, so there is only 15 characters possible, and that most sites don't allow passwords greater than around 17-20 characters, and a hash makes a very weak password in comparison to something that uses the full character set to crack.
The randomness of your password has literally no effect on how easy it is to crack unless you are up against a rainbow table based attack or a dictionary attack.
> Servers encrypt passwords in SHA1
Care to back this up? I would be willing to bet that most sites use SHA-2, if not SHA-3, and that most would spring for the largest variants of those, considering how easy it is to setup, and how big the impact it has on security is. In fact, I am almost willing to bet that somewhere along the line SHA-2 became the standard in some sort of security lib for storing passwords in a DB (MySQL supports it), so it might even be on by default. I know it is for linux (at least the distro I use).
> extreme entropy
I would argue, as I did two paragraphs ago, that this decreases entropy. By a lot, actually.
> If it still uses MD5, shame on them.
MD5 is not all that bad, actually. Really the only reason it is bad for password hashing is that it is fast to generate, generates a shorter hash, and, importantly, people have managed to successfully create hash conflict on purpose with two pieces of valid data. That last point is the important part, and really, even then, with how hard that is to do, and its extreme unlikelihood, its still not that huge a threat.
It's not ideal, but it is not the end of the world either. It's not like it has been reversed
Edited once by MiningMarsh. Last: 23rd Apr 2014 -
@coenmcj (View Post)
It went from heartbleed to hashing to complaining about what is / isn't on topic? That's even less on topic than the previous discussion :P (also this is the reason posts like that, or necro complaint posts annoy me, they don't help at all)Edited 2 times by jacob1. Last: 24th Apr 2014 -
this forum has a natural flow.
@MiningMarsh and me changed the topic from heartbleed bug to password, and @OC39648 changed the topic HALFWAY from password to hashes. -
@h4zardz1 (View Post)
And there was a tangent when people discussed why @Simon wouldn't fix my account :P
(it's fixed nao :D)
