Hashed PW's more secure than encrypted PW's?
From: sakky (sakhalinrf@hotmail.com)Date: 06/14/02
- Next message: Barry Margolin: "Re: Hashed PW's more secure than encrypted PW's?"
- Previous message: Ian Gregory: "Re: NAT - Network Address Translation"
- Next in thread: Barry Margolin: "Re: Hashed PW's more secure than encrypted PW's?"
- Reply: Barry Margolin: "Re: Hashed PW's more secure than encrypted PW's?"
- Reply: Bernd Eckenfels: "Re: Hashed PW's more secure than encrypted PW's?"
- Reply: Bruno Wolff III: "Re: Hashed PW's more secure than encrypted PW's?"
- Reply: Mike Delaney: "Re: Hashed PW's more secure than encrypted PW's?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "sakky" <sakhalinrf@hotmail.com> Date: Fri, 14 Jun 2002 19:13:30 GMT
Hey Unix gurus, can somebody answer this?
I have read many times how the preferred way in most Unix flavors to keep
track of passwords is to keep hashes of those passwords. I have read lots
of things that have stated that this is more secure than merely encrypting
those passwords. Clearly this is more secure than just keeping the
clear-text passwords lying around.
Can anybody explain how is it that hashing is more secure than encrypting?
The books I've read have stated that the file with those encrypted passwords
can be decrypted, and I can only assume this would be done via a brute-force
attack to get the encryption key. For example, somebody somehow obtains
that file with the encrypted passwords and then just starts running
brute-force on it to decrypt it. Well, OK, but wouldn't you also be able to
do brute-force on hashed passwords as well? What I mean is that you might
try every single combination of a password (via brute force) and then hash
it with the algorithm (which is well-known) to see if the result you get is
equal to what is in the file with the hashed passwords.
So it seems to me that hashing the passwords is no more secure than just
encrypting the passwords. In either case, it seems to me that the level of
security would boil down to, in the case of encryption, the length of the
key, and in the case of hashing, the length of the password. Yet all the
literature I have read has emphatically stated that hashing the passwords is
better than encrypting them. What am I missing here?
- Next message: Barry Margolin: "Re: Hashed PW's more secure than encrypted PW's?"
- Previous message: Ian Gregory: "Re: NAT - Network Address Translation"
- Next in thread: Barry Margolin: "Re: Hashed PW's more secure than encrypted PW's?"
- Reply: Barry Margolin: "Re: Hashed PW's more secure than encrypted PW's?"
- Reply: Bernd Eckenfels: "Re: Hashed PW's more secure than encrypted PW's?"
- Reply: Bruno Wolff III: "Re: Hashed PW's more secure than encrypted PW's?"
- Reply: Mike Delaney: "Re: Hashed PW's more secure than encrypted PW's?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
