|
raddevus wrote: They shouldn't care how long the password is at all since they would throw it away anyways. No, they'd save a hash. And those are usually fixed in length.
Bastard Programmer from Hell
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
They wouldn't store the password but a (fixed size, hopefully long enough) hashed version of it. If the hash is shorter than a "really long" password such as yours, then there will be guaranteed collisions. A brute force strategy would find (possibly multiple) valid password(s) that you did not intend.
So in one sense, you are correct that they shouldn't care about password length - longer passwords weaken the answer. But that somewhat becomes your problem not theirs.
In the big picture, users of that website should be concerned more about the hash length, but users are rarely privy to that info.
If pigs could fly, just imagine how good their wings would taste!
- Harvey
|
|
|
|
|
H.Brydon wrote: If the hash is shorter than a "really long" password such as yours, then there will be guaranteed collisions
Yeah, this is not a concern.
The issue with collisions has to do with can you force a collision. So for instance, it's possible to create two completely different PDF documents, both which come up with the same MD5 hash. Obviously this is a problem if using an SSL certificate. But a password, hashed with a current secure hash, you've got as much chance of finding a valid collision with "Password" as you do with "GuessThisReallyLongPassword".
|
|
|
|
|
Would collisions still occur with salted hashes? It’s my understanding that all password hashes ‘should’ be salted
modified 6-Sep-22 21:01pm.
|
|
|
|
|
Salting is something different.
The issue is that without salting (aka adding some random data into the password), then it's very easy to reverse hashed but not salted passwords back to plain text using things like rainbow tables.
It also stands out if anyone gets hold of the password hashes if default passwords have been used. For example if you see every third account stating it's password is "B2E98AD6F6EB8508DD6A14CFA704BAD7F05F6FB1" it doesn't take long to realise that every user have all entered the same password. In this case Password123.
If you want to see a rainbow table in action, do a google search for it, and enter in the above hash and you'll see what I mean. (I won't provide a link, because like all cracking websites, I would suggest being very careful using it, and I'm not willing to post a URL that turns out to be bad).
As far as I know, salts can be stored safely with the hash (although I'm all ears if a security person wants to tell me otherwise).
Edit - just to answer the actual question: yes, collisions are still technically possible with salted hashes. But again it's not if a collision is technically possible, but rather is there a known way you can cause a collision with two different piece of data.
|
|
|
|
|
My passwords are about a dozen characters long (note how I said "characters", not "letters") and didn't get hacked in either way. Length is nice, yes, but it's not everything.
|
|
|
|
|
It really doesn't matter a phising trip is more likely the attack vector.
|
|
|
|
|
How 'bout a password created from characters not on the keyboard?
¬└┴─╞󶧶¬•♀⌐ÅÆôæ
Unicode character [codes] based on significant dates, phone numbers, or lottery tickets - easy to remember. Press the alt key, enter the char code... Makes the character pool much larger for brute force attacks. but I think the only real way the make brute force or dictionary attacks unfeasible is a built-in delay, either in each attempt, or a lockout after a preset number of failed attempts. A thousand bots trying a thousand times a second are much more likely to find a password (or hash collision) than only being able to try three times, and then having to wait 30 minutes to try the next.
I agree with you - phishing and social engineering are much more likely attack vectors these days.
-Bob
|
|
|
|
|
They shouldn't care how long the password is at all since they would throw it away anyways.
they shouldn't care how short it is neither
|
|
|
|
|
incomprehensible razing of bruin citadel (11)
|
|
|
|
|
Cerdulatinib?
Even the Wiki article[^] is incomprehensible ...
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
It seems they 'jabed' you counting center...
"The only place where Success comes before Work is in the dictionary." Vidal Sassoon, 1928 - 2012
|
|
|
|
|
He forgot to shave this morning.
|
|
|
|
|
We give up what is it
"I didn't mention the bats - he'd see them soon enough" - Hunter S Thompson - RIP
|
|
|
|
|
Why haven't you posted an Oi Greg Utas ?
"I didn't mention the bats - he'd see them soon enough" - Hunter S Thompson - RIP
|
|
|
|
|
The poor man is on his sick bed.
|
|
|
|
|
He's been posting today though
"I didn't mention the bats - he'd see them soon enough" - Hunter S Thompson - RIP
|
|
|
|
|
Dictated to the cat I expect.
|
|
|
|
|
|
It's now 12:20 UK time
"I didn't mention the bats - he'd see them soon enough" - Hunter S Thompson - RIP
|
|
|
|
|
I had to redo it because the first one used a word that is foreign to Brits.
|
|
|
|
|
"I didn't mention the bats - he'd see them soon enough" - Hunter S Thompson - RIP
|
|
|
|
|
If I'm right - always a very dubious proposition - then the spelling of the answer is unfamiliar to us Brits.
|
|
|
|
|
|
Ah - OK - then I'm wrong in my solution, because the word I thought it was isn't in that dictionary.
|
|
|
|