[ale] unsalted hashes of 6 million linkedin passwords published on the internet

Tim Watts tim at cliftonfarm.org
Fri Jun 8 10:13:13 EDT 2012


Makes sense now.  Thanks!

On Fri, 2012-06-08 at 09:58 -0400, Michael H. Warfield wrote:
> On Fri, 2012-06-08 at 08:54 -0400, Tim Watts wrote:
> > Thanks for this Mike.  Great lesson as usual!
> 
> > On Thu, 2012-06-07 at 22:56 -0400, Michael H. Warfield wrote:
> 
> > RE Salts:
> > > So it prevents some optimization in brute forcing
> > > large tables of passwords (like the Linkedin dump). 
> 
> > I guess I don't quite see this.  If the salt is invariably stored with
> > the hash this sounds a bit like claiming base64 is a form of encryption.
> > The only way I can make sense of this is if the encoding of or
> > association between the salt and hash is somehow a system secret.  Or if
> > you don't know the hashes are salted.  Am I missing something?
> 
> Without salt, the attacker would take a brute force password guess and
> hash it once and compare that hash to all the hashes in the database.
> One hash operation per guess to do all the hashes in the table and it's
> a straight compare.
> 
> With salt, you have to hash your password with the hash salt that's
> there for each entry in the table.  So, if you have 6.5 million entries
> in the compromised hash table you would likely have to hash the guess
> with each individual salt (6.5 million is still a very tiny percentage
> of even 2^48 so collisions are almost non-existent) resulting in 6.5
> million hash operations where you would only have needed 1 hash
> operation without the salts.  6,500,000:1 is quite an optimization and
> that's why I said "large tables".  The larger the table, the bigger the
> effect.
> 
> The hash is a one-way function.  Even with the salt present with the
> hash (necessary for verification) you can't reverse the hash back to the
> password so the presence of the salt doesn't weaken the hash.  It's not
> any more secret than the hash itself and is necessary to compute the
> hash given a password to test and verify.
> 
> Here...  I'll give you an example from the shadow file (no, it's not an
> active account but it's a real hash, you can try and brute force it if
> you like...)
> 
> *****:$1$mVyvPlQz$M02ivX0uzi6al7vWWu5X6.:15499:1:::::
>                   ^^^^^^^^^^^^^^^^^^^^^^ Hash
>          ^^^^^^^^ 48 bit salt - almost 3 * 10^14 possibilities.
>       ^^ Algorithm 1 - md5
> 
> This is a SHA512 hash pulled from a web page I had handy...
> 
> *****:$6$QR3drPrQ$JLolPKyiVuXvea1F2IpbPx9F9PEV0s/IGcNCpm6ZrBA6AFDvwHPQG7EsTQHuUqxfCvlsuKRb.O7w5RLPyj8nS/:15119:0:99999:7:::
> 
> Same format, just algorithm 6, sha512.
> 
> With the salt, you can hash a password the user enters and, if it then
> matches the hash you expect, you have a verification match.  That salt
> has to be present with the hash at the point and time of verification.
> In theory, they could be stored in different locations but, in practice,
> that really doesn't buy you much since they have to be retrieved
> together and are tightly associated, so they're generally stored
> together.  If that table is compromised, the brute force attacker would
> then merely take the salt, combine it with the password he's using to
> guess, and then compare.  But, without a salt, he only has to hash the
> password once and do a simple compare to all the entries.  Grep would do
> the job.
> 
> Regards,
> Mike
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20120608/26f1dfe9/attachment.bin 


More information about the Ale mailing list