|
...and this proves the "easily remembered" part of that password scheme.
- I would love to change the world, but they won’t give me the source code.
|
|
|
|
|
xiecsuk wrote: I type in pass123 as my password, but unbeknown to me, the system translates that to 321ssap, hashes it and stores it
This is very close.
Actually, what you are thinking of is a salted hash.
In other words, the user types in the password, the receiving application receives the password over some secure method (like HTTPS) then it
1. takes the original password
2. adds a secret salt value
3. hashes the entire thing (pass + salt)
Since a hash is one-way, no one can really decrypt them -- that we know of.
Same Is Same
But look, every time you hash "ABCD" with the same algorithm, you get the same hash.
That means a nefarious character can create tables of hashes (rainbow tables) of common words.
Then, just compare the hash they have to the hashes stored in the datbase.
Proper Salt Probably Prevents
However, if the original value were properly salted, this would protect against that problem, unless the nefarious character should learn what the salt is. which is usually not the problem.
Usually the problem is that the passwords are stored in the database in clear text or simply not salted.
|
|
|
|
|
What he suggests is that the password is transformed again before being hashed, using an algorithm proper to the website. I still fail to see why this is not clever (and it is probably not, otherwise they would all do it. Or maybe they all do it already and nobody knows ?).
|
|
|
|
|
It is as clever as prefixing the password with a constant.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Because it wouldn't prevent the commonest way to bypass hashes: look for identical values.
Even if you reverse every password before you hash it, every user that uses "password" gets the same hash value.
Salting uses different values for each user - the username or row id value for example - and so every user gets a different hash value even if they share a password.
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
|
|
|
|
|
"Clever" is never secure, because the security vanish the moment someone figure it out. And if attacker could get their hands on the DB then they also could get the application (possibly even source code).
So as other said slow(!) salted hashes are secure because it doesn't matter that you know how to create the hash. The way back is expensive. If the "secret way" would be enough then everyone will just XOR the password with something "secret", right?
--
"My software never has bugs. It just develops random features."
|
|
|
|
|
Rage wrote: I still fail to see why this is not clever
Depending on the function, it could be just as susceptible to rainbow attacks as not applying the function. Also, given the function, it might still be statistically breakable (e.g. "password" most common) which is even quicker if applicable.
The reverse example he gives has both these flaws, especially given the apparent lack of salt. As Eddie Vluggen says, about as clever as prefixing with a constant- it'll increase the time taken to break, but not by much.
[Edit]
My understanding was the OP was trying to get at how a hashes work generally, rather than a specific implementation
|
|
|
|
|
Quote: the hacker then decodes by brute force and ignorance to arrive at the actual password
No.
What you propose is little different from another common technique that doesn't really improve security -- that of hashing multiple times.
Attackers don't care what the original password was or how the stored value was calculated, they only care about what they can pass in to gain access.
|
|
|
|
|
SET RANT ON
When you press CTRL+SHIFT+H, the Find & Replace window comes up.
But in VS2012/13, the "Find What" field is not the default... the "Replace With" is.
It automatically inserts whatever word your cursor is on in the Find What field. So when I open a XAML file, press CTRL+SHIFT+H, the Find & Replace dialog opens and the Find What field is populated with "<" (the first character on the first line of the file), and the cursor is on the Replace With field.
So you have to Shift-Tab to back up one field, or click the Find What field to look for what you REALLY what to find.
In VS2010, the focus starts on the Find What field.
I've asked this before... What moron at MS designed this??? What are you, totally stupid?
SET RANT OFF
Have a nice, again.
If it's not broken, fix it until it is
|
|
|
|
|
IMO this is the proper behavior.
You select something you want to replace, hit ctrl-shift-h and type the replacement.
The issue would be that if there is no selection, then the "find what" should at least be empty.
I'd rather be phishing!
|
|
|
|
|
if I had selected something I wanted to replace, why would I need a dialog?? I'd start typing & change it.
If it's not broken, fix it until it is
|
|
|
|
|
Kevin Marois wrote: if I had selected something I wanted to replace, why would I need a dialog?? ..because you'd like to replace the string mulitple times in your current selection. Works great when the refactoring-commands don't, like strings.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
ignore me its Monday
You cant outrun the world, but there is no harm in getting a head start
Real stupidity beats artificial intelligence every time.
|
|
|
|
|
Tools -> Options -> Environment -> Find and Replace -> Automatically populate Find What with text from the editor
https://msdn.microsoft.com/en-us/library/ms165349.aspx[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
HAHAH.. Wow. There's an option for this??? Go figure
If it's not broken, fix it until it is
|
|
|
|
|
nice.
thanks.
I'd rather be phishing!
|
|
|
|
|
That knowledge is impressively nerdy.
Regards,
Rob Philpott.
|
|
|
|
|
I like the way it works (for the reasons mentioned by Max and Eddie).
[edit]
But it's nice to have the option.
[/edit]
/ravi
|
|
|
|
|
|
Jeeze, he's really caught up with technological evolution if he's gone from hunting with a bow to providing cloud services.
I wanna be a eunuchs developer! Pass me a bread knife!
|
|
|
|
|
They're lying - it's not Orion!
I looked very carefully, and there are no attack ships burning off the shoulder - it can't be Orion.
|
|
|
|
|
Batty [^]
I met him once a few years back in a Starbucks, waiting to get coffee. Very nice chap.
|
|
|
|
|
SET RANT ON
I really, really hate that stooooopid little find thingy that pops up when you press CTRL+F.
SET RANT OFF
Have a nice day.
If it's not broken, fix it until it is
modified 16-Mar-15 10:24am.
|
|
|
|
|
Where is that then I can't find it.
|
|
|
|
|
So? Don't press it!
And don't leave your rant on all day long now... There are third world children who can't rant at all...
Anything that is unrelated to elephants is irrelephant Anonymous ----- The problem with quotes on the internet is that you can never tell if they're genuine Winston Churchill, 1944 ----- I'd just like a chance to prove that money can't make me happy. Me, all the time
|
|
|
|