Login

Brian Shanahan · November 11th, 2011, 13:43

Mardoc Wrote:If you'd rather have mine - they're two levels of security. A hash is a function that's chosen to be easy to calculate forwards and hard to go backwards.

So something like prime factorisation then?

sunrise089 · November 11th, 2011, 14:39

Ok, I knew what hashing was but salting was new. Where does the input data to be added to the password to make it 'salted' come from?

Gustaran · November 11th, 2011, 14:41

Mardoc Wrote:Here's one explanation

If you'd rather have mine - they're two levels of security. A hash is a function that's chosen to be easy to calculate forwards and hard to go backwards. It's used by never actually storing a password; instead, every time a site would use a password, they compute the hash of it and use that instead. This is why sites can usually reset your password but can't usually just tell you what your old password was.

However, now that computing power is cheap, people found a way around hashing - they build a dictionary of hashes for all common passwords, and compare the hashes they steal to that dictionary to get the passwords. Salting is adding one more step - after you take the password from the user, you add some more data (the 'salt'), unique to the user, and hash the combination of them. This means that that dictionary for cracking has to be recreated for each user instead of for each site, and has to be a lot bigger.

Edit: Another explanation, with numbers and examples: Here

Very interesting and useful for me, thanks for posting. smile

**SevenSpirits** · November 11th, 2011, 14:46

sunrise089 Wrote:Ok, I knew what hashing was but salting was new. Where does the input data to be added to the password to make it 'salted' come from?

It's just a random number. It gets stored alongside the hashed+salted password, and even though the attacker can see it, it still serves its purpose: they can't use a pre-computed lookup table of hashes of common passwords.

antisocialmunky

You also can't as easily guess the hashing algorithm.

As for salt, imagine the classic Caesar cypher where you encode letter by shifting the alphabet by 1 A->B B->C C->D ... Z->A. Salt would be like an additional value used in some way (most commonly added to the ascii representation) so for a Caesar cypher it would be something like shifting each word in the message over a few letters like:

helloxyou (use x instead of space

Shifted over 2 would be:

lohelxouy

Then encoded:

mpifmypvz 2

Additionally as hashes often discard some information (unlike a caesar cypher), you can't decode the encoded version, you have to guess a message, salt and hash it. So you can't just look up 'helloxyou' in a table of for caesar cypher shift right 1 due to the salt value.

spellman · November 12th, 2011, 02:05

As in all things, use different passwords for things you care about. So you don't have to go and find all 20 different accounts that used the same SN/Password combo and change them.

I personally have a standard throwaway one, but for important stuff (Google, Steam, Money stuff, etc) keep unique strong passwords.

antisocialmunky · November 12th, 2011, 11:15

Keepass is a good tool for keeping track of a ton of different passwords, it even has a browser plugin.

http://keepass.info/

Nicolae Carpathia · November 14th, 2011, 03:08

I don't think our PBEM passwords are encrypted at all lol

Mist · November 14th, 2011, 03:10

Nicolae Carpathia Wrote:I don't think our PBEM passwords are encrypted at all

Actually, you're wrong. They are md5 hashed inside the save files. This makes them either trivial or nearly impossible to break depending on password length and composition.

Amelia · November 14th, 2011, 04:20

Can you explain md5 hashed, mist?

Navigation

Extra Menu

About us