Submitted by AutoModerator t3_ywvph3 in askscience
calcopiritus t1_iwnxzeb wrote
Reply to comment by PieMastaSam in Ask Anything Wednesday - Engineering, Mathematics, Computer Science by AutoModerator
While you have received many answers on the AES thing, I've only seen one on the hash question.
Hashes are not difficult to reverse, they are impossible. That is because you lose information when performing a hash.
It's easy to see if we use the modulus operator (%). It's just the remainder you get after a division. So 1%3 = 1, 2%3 = 2, 3%3 = 0, then 4%3 = 1 again.
So if I tell you to solve x%3=1, you can't know what X is. It might be 1 or 4 or 7...
If I hash my password "1234" and it becomes "hfiek", you have no way to obtain "1234" back, because there is an infinite amount of passwords whose hash is "hfiek".
Treacherous_Peach t1_iwp3pwy wrote
Wouldn't any solution be sufficient? Don't most places use the same hashing algorithms? So who cares if you got a different password from the real one, it will probably still work on other sites too?
calcopiritus t1_iwp4k5e wrote
To "break" a hash yes, any solution is sufficient. However, getting 1 of those solutions is still really hard. In this case the total amount of "hashes" is 3: either 0, 1 or 2. Real hashing algorithms have many more possible hashes.
It won't necessarily work in other sites for 2 reasons.
-
"1234" and "7463" might generate the same hash using algorithm X, but it probably won't using algorithm Y. If 2 sites use different algorithms, you have to know the actual password. EDIT: I just saw you mentioned this, but it's still interesting to point out.
-
Just hashing a password is bad practice for exactly this reason, so the recommended technique is doing hash+salt. That means every site generates a random "salt" for every user, and adds it to the password before hashing. So the password for site X is actually "1234jdyendi" while in site Y is "1234udnfki". Although you type the same password in both sites, it's actually a different one from an attacker POV, you need to know "1234", any other solution won't work for both sites.
Viewing a single comment thread. View all comments