Hacker Read

sdkmvx · 2011-07-30 03:48:47+00:00

Yep. But they are hex strings that look like (are) hashes, and that's all I need to make the point. Next time I'll use /dev/urandom for that :)

In a real scenarios, use PBKDF2 or bcrypt!

reply

16s | karma 3211 | avg karma 3.38 · | 2012-05-08 22:42:48+00:00

What sort of hashes are those?

Edit: Nevermind... they seem to be passwords, not hashes. They look randomish though. Likely computer generated.

reply

TylerE | karma 18504 | avg karma 2.4 · | 2022-06-29 09:36:58

No, I'm talking about password hashing. Stuff like PBKDF2

jacooper | karma 6833 | avg karma 2.57 · | 2022-07-12 17:39:31

These are password hashes, not the password it self.

tptacek | karma 394296 | avg karma 6.04 · | 2016-11-03 21:21:54+00:00

Yes, and that's a good pattern. Just not for password hashes.

pimeys | karma 5727 | avg karma 4.5 · | 2012-06-06 07:52:27

No they're not. I tried the following:

> irb

> require 'digest/sha1'

> Digest::SHA1.hexdigest 'my_password'

=> hash_string

Then I searched the file with the hash string and found my password. I really hope they don't also have the usernames somewhere.

reply

sdkmvx | karma 408 | avg karma 3.52 · | 2011-07-29 10:00:36

There's still the question of why he would need the password hashes. Assuming he wanted the plaintext passwords to see if they are 'complex' and 'strong,' he would have a hard time telling that from the hashes.

5f4dcc3b5aa765d61d8327deb882cf99 and 05b28d17a7b6e7024b6e5d8cc43a8bf7: Which is a dictionary word and which is a string of punctuation? (I didn't salt :))

reply

katbyte | karma 3315 | avg karma 1.95 · | 2013-05-16 01:28:33+00:00

Yes, I was thinking more along the lines of hacking into something rather then decrypting a password hash.

pieguy | karma 163 | avg karma 5.82 · | 2018-01-05 07:38:45+00:00

There's a decent chance the passwords you found aren't the actual passwords either, considering how easy it is to generate collisions for the hash function.

haakon | karma 1840 | avg karma 5.64 · | 2012-06-10 19:15:18+00:00

He must be referring to them storing the passwords as unsalted SHA-1 hashes.

shawabawa3 | karma 5773 | avg karma 4.04 · | 2021-06-28 15:45:25+00:00

no

basically the hashing algorithm they use strips out certain information, which means that e.g.

"PaSSWord123" "pAsswORD123" "PaSSWord123 " etc

all hash to the same value, and so are equivalent.

reply

peterwwillis | karma 1 | avg karma 0.0 · | 2014-08-28 16:00:03+00:00

Right; it's a cryptographic hash. Technically there's no such thing as a 'password hash', only password KDFs and their results, which are composed primarily by cryptographic hashes. I think the guy's point was that if you're going to build a password KDF, you might as well use a hash function that's less shitty than MD5 and SHA1.

uvdiv | karma 4215 | avg karma 6.21 · | 2012-08-21 10:45:57+00:00

That looks like they're using unsalted SHA-256 as a password derivation function? And they reimplemented every cryptographic primitive themselves?

I'll pass.

reply

twiss | karma 1647 | avg karma 3.74 · | 2020-08-10 17:36:33+00:00

No, that's fine :) It wasn't clear to me from your original comment whether you were hashing passwords, apologies.

buboard | karma 6145 | avg karma 1.29 · | 2019-10-09 14:28:08+00:00

oh! I thought the whole thing was the password, apparently the first part is the hash

yuhong | karma 6263 | avg karma 1.05 · | 2010-12-13 00:33:09+00:00

And if you read that file, you will read that they used DES for hashing. Reminds me of the LM hash. The LM hash generated two hashes using DES from two 7 byte parts of a 14 byte password. Basically they use each individual 7 byte part as a DES key to encrypt a fixed string. Repeat this twice for each 7 byte part, and concatenate the results, and you get the LM hash.

hartator | karma 6634 | avg karma 2.18 · | 2015-10-19 20:18:15+00:00

I don't think it's technically possible because they do display some of the letters.

They are just probably stored plain text or encrypted the password somewhere but I don't there is way to be a one way hash.

I'll be on just plain incompetence.

reply

ShabbyDoo | karma 3010 | avg karma 2.84 · | 2010-12-13 01:12:55+00:00

So, were these "passwords" stored as salted hashes?

agersant | karma 104 | avg karma 1.33 · | 2015-02-09 23:28:29

I think he meant plaintext as opposed to a hash of the password.

akerl_ | karma 11233 | avg karma 4.82 · | 2014-02-15 21:40:07+00:00

You may be joking, but for the sake of other people who might read that and not know the reality of the situation:

That is not the case. Even just the length makes it pretty clear which hash is in use ( https://en.wikipedia.org/wiki/List_of_hash_functions ), and even assuming some crazy "security" scheme in use for storing them (hashing and then padding, or some such), someone with the hashes only has to figure out one password to figure out the procedure used. Given the high likelihood of there being "password" or "12345" hashed somewhere in there, that's not so hard.

reply