Jump to content
xisto Community
mm22

Password Encryption With Hash Functions one point that I may be missing in the story

By mm22, in Security issues & Exploits

Recommended Posts

mm22    0

mm22
Posted

When recording, transmitting, storing a password in a web-based application is not a good idea to do so in plain text. Fair enough.Looking at ways to "disguise" a password before, say, storing it in a database I found that functions known as "hash functions" are widely used. Basically what these functions do is "messing around" with the string that contains the password until it is turned in some other string or binary value which hides the "real" password. When we want to retrieve the original string so that it can for example be checked against the user input we'll run the function again on the same and the original value will be returned.In PHP one can for example use the built-in function sha1() to apply the hash function SHA1 which will turn your password into a 40-char (160-bit) string of seemingly random alphanumeric values.My question is: can anyone decrypt such a string provided he or she has access to the same hash function that was used for encryption? in other words, is knowing which encryption function was used sufficient to decrypt a string?If the answer is yes, I guess a much more secure way would be that of writing your own encryption function and store it in a very safe place or maybe customize one of the common hash functions in a way that it acts in a unique way (for example providing it with some "key").I know there's no "absolute security", was just wondering what the common practice is in this cases.Thanks for any answer.

Share this post

Link to post
Share on other sites

csp4.0    1

csp4.0
Posted

If its been "hashed properly" and my that I mean, all traces of the original password can't be found in lets say the cache...Then the only way to crack the password is to brute force it... Which would take a LOT of computing to brute force a MD5 hash with salts...There is no 100% secure type of encryption, because even though if the malicious user doesn't know how to crack it, they can easily plant a key logger on the victim's computer (Though a password that is entered through a custom made "AJAX keypad" would be immune), the malicious user would be able to gain knowledge of the password, and maybe even crack the code...There is no need for some special type of encryption unless you're working for the Pentagon or CIA or KGB or something... MDF and salts do the trick...

Share this post

Link to post
Share on other sites

Nabb    0

Nabb
Posted (edited)

It's a hash. Not an encryption. Hashes are irreversible, encryptions can be decrypted. Hashes have a fixed length output, encryptions have an output length proportional to the input length (generally)

The fact that hashes have a fixed length output should make it quite obvious that they are irreversible. There are over 2^160 possible string inputs, while only 2^160 possible string outputs. This means via the pigeon hole principle that there will be outputs with multiple possible inputs. Which means that it's impossible find the input used to create the hash (while technically possible to find an input with the same output.).

 

Here's a basic type of hash that can't be reversed:

 

Input: A string

Output: The first letter of the string

 

There is no way you can determine the input given the output (unless you're told it's one character long :lol:). Of course if this were a hash used for securing a website, it wouldn't be hard to find an input which gives the same output! Hashes generally try and have collisions (i.e. two inputs giving the same output) hard to create, and as of current SHA-1 has had no collisions found (while distributed computing is continually trying to find some!) but MD5 has had collisions (view here).

 

Using sha-1 should be enough for storing passwords in a website. If someone can somehow retrieve these values (e.g. by means of SQL injection) then your passwords are safe as long as they are of decent length (e.g. at least 8 or 9 characters) and not dictionary words (but something like 'messenger6' isn't a very secure password either!) - ideally a random combination of alphanumeric+symbols.

A common method of protection is to use a salt on hashes. This can be changing sha1($_POST["pass"]) to sha1($_POST["pass"]."This is a salt! It's very long to hinder brute-force attempts!").

Edited by Nabb (see edit history)

Share this post

Link to post
Share on other sites

mm22    0

mm22
Posted

There are over 2^160 possible string inputs, while only 2^160 possible string outputs. This means via the pigeon hole principle that there will be outputs with multiple possible inputs. Which means that it's impossible find the input used to create the hash (while technically possible to find an input with the same output.).

Are those two numbers really the same (2^160)? I think you meant the outputs are fewer than the inputs so you can have outputs with multiple inputs...

 

anyway, thanks a lot, very clear and precise description :lol:

Share this post

Link to post
Share on other sites

Tran-Gate    0

Tran-Gate
Posted

So there is the SHA1(Secure Hash Algorithm), MD5, AES but how do they differ? And isn't there a possibility of cracking the passwords?

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing
×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept