All artwork, design,
logo hacks, coding,
whining, painting and
Photoshop work by Thor.
Git yurself some!
Click the + sign
to use this card!
logo hacks, coding,
whining, painting and
Photoshop work by Thor.
Git yurself some!
Click the + sign
to use this card!
Contact:
GetHammered
GetHammered
-
My company requires me to have a "complex password" because that makes it "strong." Is that true?
- They are incorrect. In fact, they are incorrect to the point they try to enforce a "strong" password when there is no such definition. Ask them, "what is strong? how do you measure it?" They will say "best practices require we blah, blah, blah." Read this - in particular the "The-Not-So-Obvious" section and make your own decisions.
-
Someone said they cracked the Linked-In password hashes with bible quotes. Is that true?
- I'm certain that is true. I mean, I'm certain of the fact someone said it is true. Did someone really do it? I'll say "no" with the stipulation if they really DID do it with bible verses, then they had God cracking numbers for them as well. First off, salting a password, if done remotely correctly, makes it applicably impossible to crack the hash. If I chose a RFC2898 salt, I could have the letter "a" as my password and it would never be reverse-cracked from the hash. If someone got hold of the salt, and the hash, then that's a different subject. But if they have that, why do they need to reverse-crack it in the first place? Linked-In salts your password. Bible verses will not reverse the hash. Even if Linked-In didn't salt the hash, the chances of you finding the right verse out of 31,000 is.. hmm, let's see… Oh, 1 in 31,000. Particularly if the verse is from Numbers, which obviously increases the hash space as all digits do. Ba-dum. You then have over 50 versions of the bible in English alone. I like U2, and think the song "40" from War is great, particularly live. If you were not aware, the song is named for Psalm 40. So let's say I choose that verse and put "I waited patiently for the Lord and he inclined and heard my cry" for my password. Touching, I know. The first verse I found on the internet was "I waited patiently for the Lord; and he inclined unto me, and heard my cry." Notice the commas and semi-colon. Notice the period at the end. Notice the extra "unto me" bit. If there is but one single difference in length, spelling, capitalization, punctuation, or denomination then all bets are off. So, is it possible someone did this? Sure, and it's possible to find an Irish girl with thin ankles. Will you? Nah. Clearly I have some insight into this as I've been right there when claims were made. One of my other questions was, "Where did you get the hashes? How do you know they are from Linked-In?" The answer? "I got them off the internet, so I know they are."
-
I've been told to use a separate salt for every password to prevent hash-cracking. Does that work?
- Technically, yes - it will definitely help and make any Magic Rainbow Table be built with each different hash. In fact, in some places like MSFT, when using a hash, you are required to use a different salt for each item. And that's fine as long as you don't care if the salt is known. You may not be aware of this, but many policies for salting exist to ensure the integrity of the hash itself, (as in a collision) and not to prevent it from being reversed.
In these cases, if you ever want to use the hash as a logon validation, you'll have to store the salt with the hash. Let's say I put "TheHooch" as my password. If I have a unique salt for my password, then when I logon again and type in "TheHooch," my "personal" salt will be used to hash my password and compare it to the stored hash. So if someone gets the hashes, they get the salts. If you have a "secret" hash not stored with the hashes, then that can't happen.
So "yes," it will add a different layer of obfuscation. But not a "better" layer. It's just a different method to solve a problem.
More coming as I make time!
