Re: Passwords on Linux systems(for all flavors)

From: Kyle Wheeler (kyle_at_memoryhole.net)
Date: 07/15/05

  • Next message: Glynn Clements: "Re: Passwords on Linux systems(for all flavors)" 
    Date: Fri, 15 Jul 2005 11:47:36 -0500
To: focus-linux@securityfocus.com

    On Wednesday, July 13 at 10:00 AM, quoth Roman Daszczyszak:
    > How long is the standard password MD5 hash, 128 bits?

    Yup.

    > So theoretically, the longer the password gets, the likelyhood of
    > rolling over the top number and getting duplicate hashes for multiple
    > password increases as well, yes?

    Pretty much, but there's no guarantee that if you compute the MD5 sum of
    the all numbers between 0 and
    340,282,366,920,938,463,463,374,607,431,768,211,456 (2^128) you will get
    the complete set as output. There could theoretically be duplicates even
    from input of less than 128 bits.

    > I mean, I'm not sure exactly how the MD5 hash algorithm works, but I'm
    > sure there's a finite size to the input, after which it becomes
    > ineffective because of the duplication I mention above.

    The question in general more: if I give you an MD5 sum, how difficult is
    it for you to guess a string that will produce the same MD5 sum. Now,
    there has been a lot of research into breaking the MD5 algorithm by
    pre-computing things, but if we're talking about any fixed-size-output
    hash function (e.g. SHA-256, which produces 256 bits of output, or a
    measly 32 ASCII characters), the answer is: really really REALLY hard.

    Is MD5 (or any fixed-length output hash) ineffective for input that is
    more than the number of output bits? Not at all. For example, how would
    you go about finding the input string to produce the md5sum
    "1234567890abcdef"? Ready... GO! Things get MUCH harder when we upgrade
    to something like SHA-256 (find a string that produces
    "abcdefghijklmnopqrstuvwxyz123456").

    Hashes (such as these) are *designed* for turning large numbers of bits
    into smaller numbers of bits.

    ~Kyle 

    -- 
A lot of the truths we cling to depend greatly on our own point of view.
                                                       -- Obi Wan Kenobi

  • Next message: Glynn Clements: "Re: Passwords on Linux systems(for all flavors)"