25 Apr
2007
25 Apr
'07
12:09 p.m.
On Tue, 24 Apr 2007, Rick Murphy wrote:
It's not reversible because a hash algorithm is
used. A hash
deliberately "throws away" information, distilling a string into a
smaller representation. (You can't reconstruct an apple from a bowl of
applesauce.) That's a common operating system concept first employed by
Unix systems.
Yes, but it is possible, either by brute force or clever programming, to
write a job that will produce a string that will hash to the same hashcode
as the target password. With a 16bit hashcode, a set of 65536 strings can
be made and sequenced that will work for any 16 bit hashcode with that
algorithm. It will most likely be a nonsense string of characters, rather
than the name of the user's canary, but it will work.
In fact, if you were to start filling in the table with a
dictionary/namelist approach, many of the "passwords" will actually match!
Just how common ARE "sex", "love", and "god"?
The remainder of the table can be completed using the nine billion names
of god.
That is why the hashcode algorithm being used should be kept secret, and
access to the hashcodes for accounts shuld be limited.
How many people here remember any of the "master" passwords of TRS-DOS?
--
Grumpy Ol' Fred cisin at xenosoft.com