On 5/1/15, Daniel <[email protected]> wrote: > On 30/04/15 19:03, Richard Falken wrote: >> Crypto hashes are really powerful and are the standard way of storing >> passwords in many systems. >> >> You might now that a password hash is >> $5$sdsd7f89sd7fsda89f7$9AO/NHJbfjwllqiFOOeq63ICdSDwaejGNa36IL6d4pC. You >> might not use this information to find what the password that generates >> this hash is. The reason is that cryptographic checksums work only one >> way. >> You can take an input and turn it into a hash, but there is no practical >> way to take a hash and find what the input is out. > > When I later enter my password, the system *must* do something to that > input to compare it to the saved data. So the system *must* know what > that something was, so the process is repeatable.
Correct. But just because a process is repeatable doesn't mean that cracking it is practical. So something like public key encryption is infeasible to crack because cracking it requires factoring large numbers. I suspect password hashes are in the middle ground.. Somebody like the NSA probably has a rainbow table for every popular password hashing scheme, so if they're interested they've already broken "$5$sdsd7f89sd7fsda89f7$9AO/NHJbfjwllqiFOOeq63ICdSDwaejGNa36IL6d4pC" (assuming it _is_ a valid password hash :) But against someone doing a brute-force or dictionary attack that hash might be safe.. Regards, Lee _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
