![]() ![]() All of these are for the password "baseball": $1$9XsNo9.P$kTPuyvrHqsJJuCci3zLwL.īut, if I deliberately specify the salt I want to check, I'll get back my expected result: $ openssl passwd -1 -salt oaagVya9Īnd that's the test I run to check to see if the password is correct. In this example, there are about 10 14 ways to store this one password. If I run the process again, I get a completely different hash with a different salt. NMvf1Iyub圎YvrZTRSLgk0 is the actual MD5 sum, base64-encoded.Plunked down right there in with our hash. There are plenty others which are much better, but this is our example. 1 means "algorithm number 1" which is a little complicated, but uses MD5.I'll replace the delimiter with a space to make it more visually clear: $1$oaagVya9$NMvf1Iyub圎YvrZTRSLgk0 So our hash is $1$oaagVya9$NMvf1Iyub圎YvrZTRSLgk0: it's actually 3 sections separated by $. This gives us a hash using the standard crypt library. Try this if you have openssl installed: $ openssl passwd -1 Most implementations just tack it right on there with the hash, usually with some delimiter. Of course, in order to test out your password, you have to know what the salt is. And if person2 also uses "baseball" as his password, we use a different salt and get a different hash. Googling that string turns up nothing (except perhaps this page), so now we're on to something. So now we're hashing the string WquZ012Cbaseball. So before we hash it, we prepend a unique string. ![]() ![]() And if one of them has a password hint that says try "baseball" - well now I know what both users' passwords are. Plus, if two users in the database have the same password, then they'll have the same SHA1 hash. But go do a google search on that exact string, and you will have no trouble recovering the original password. Theoretically it's impossible to reverse a SHA1 hash. So instead I do an SHA1 hash on it, and get this: $ echo -n baseball | sha1sum I could simply store it raw, but anyone who gets my database gets the password. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |