Wednesday, October 24, 2007

Just a thought on hashing..

Hashing is a really powerful tool that can be used to hide data such as passwords.. Hashing is one way, meaning once you hash it, you can't derive the original word from the hashed word. People might ask why hash it if it can't be brought back? Hashing can really be a good tool for passwords, people may have 1 password for all his/her accounts so if someone gets in the database and sees the password, he might be able to access that person's other accounts (bank, email, etc).. that is why passwords are hashed, then how can you compare a hashed password to a not hashed one? It's simple, just hash the "not hashed one" with the hashing that you used in the "hashed one", then compare the 2, if is equal then the password is correct.

I believe that hashing is really one way..because of the algorithm that it uses, but there is one thing that can "cheat" that. Lets say a password is from 6-10 characters long, so create a script that hashes and saved all possible combinations from 6 characters - 10 characters in a table

ex

Table hashtable

normal hashed(SHA1)
000001 0a620481ca00b00de7eedb407a68b9163dcabae3
000002 86dfb043360b0e9ef7767e6ea7ad09fb7fb81537
... ...
... ...
... ...
d3nn1s 7b7edb6fda80187ac8a3f18b2c2b9bfef7a95acc
... ...
ZZZZZZZZZX 3ae4c15d5da68511a49a6171d0df2f7e51207fa6
ZZZZZZZZZY 27fb26c695b91422e048b7ccd2557209472d7fbc
ZZZZZZZZZZ 5df31df13a3fe267e1ae0a35f71bdc70b0249d35

and if your script saved all these in a table, just search for example..

SELECT normal
FROM hashtable
WHERE hashed="7b7edb6fda80187ac8a3f18b2c2b9bfef7a95acc";

by that, you will surely get the reverse of that hashed word..which is d3nn1s, also, hash functions have a fixed length

MD4 = 32 characters
SHA1 = 40 characters

so it gives you a big clue on what hash function was used..unless if you do character stuffing..
and it is also a proof that hasing is one way (before the brute force), for example you hash this string using SHA1 "ang mantech na subject ay napakasayasayasayasayasaya talaga!", the result would be "5df31df13a3fe267e1ae0a35f71bdc70b0249d35", obviously, the string that you used is longer than 40 characters, and the end result is only 40 characters, so how can you derive a combination of 60 characters from 40 characters..it can only be done by "brute force" (hashtable)

No comments: