[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] unsalted hashes of 6 million linkedin passwords published on the internet

Subject: [ale] unsalted hashes of 6 million linkedin passwords published on the internet
From: stephen at averagesecurityguy.info (Stephen Haywood)
Date: Fri, 8 Jun 2012 09:16:12 -0400
In-reply-to: <1339160079.19846.1242.camel@dellberry>
References: <[email protected]> <[email protected]> <CAOG_E9U65T3i5SOtFQtDmZSfBXQhuNPOQBEiZ_bMRtn27fC55A@mail.gmail.com> <[email protected]> <1339160079.19846.1242.camel@dellberry>

> I guess I don't quite see this. ?If the salt is invariably stored with
> the hash this sounds a bit like claiming base64 is a form of encryption.
> The only way I can make sense of this is if the encoding of or
> association between the salt and hash is somehow a system secret. ?Or if
> you don't know the hashes are salted. ?Am I missing something?
>

If the passwords were salted then I wouldn't be able to hash the
password "password" and test it against all 6.5 million hashes. I
would have to hash the word "password" with the salt and test it
against the first hash. Then I would have to hash the word "password"
with the next salt and test it against the next hash. This
exponentially increases the work necessary to crack the 6.5 million
passwords. If someone were targeting a single password then it would
make no difference.


-- 
Stephen Haywood
Information Security Consultant
CISSP, GPEN, OSCP
T: @averagesecguy
W: averagesecurityguy.info

Follow-Ups:
- [ale] unsalted hashes of 6 million linkedin passwords published on the internet
  - From: tim at cliftonfarm.org (Tim Watts)

References:
- [ale] unsalted hashes of 6 million linkedin passwords published on the internet
  - From: atllinuxenthinfo at techstarship.com (Ron Frazier (ALE))
- [ale] unsalted hashes of 6 million linkedin passwords published on the internet
  - From: mhw at WittsEnd.com (Michael H. Warfield)
- [ale] unsalted hashes of 6 million linkedin passwords published on the internet
  - From: stephen at averagesecurityguy.info (Stephen Haywood)
- [ale] unsalted hashes of 6 million linkedin passwords published on the internet
  - From: mhw at WittsEnd.com (Michael H. Warfield)
- [ale] unsalted hashes of 6 million linkedin passwords published on the internet
  - From: tim at cliftonfarm.org (Tim Watts)

Prev by Date: [ale] Smartphone/ROM recommendations
Next by Date: [ale] [OT] AT&T/UVerse going to carrier grade NAT?
Previous by thread: [ale] unsalted hashes of 6 million linkedin passwords published on the internet
Next by thread: [ale] unsalted hashes of 6 million linkedin passwords published on the internet
Index(es):
- Date
- Thread