Password Cracking Made Easy Thanks to the GPU

[f0dder]

In the password/security context, hash means "one way cryptographic algorithm"

Dunno if it's a false sense of security, hashes do make it pwetty damn hard retrieve your password, unless the attacker can use rainbow tables - but those are at least partially thwarted if you use some salt with your hash (unless the attacker generates mindbogglingly large rainbow tables).

[Lashiec]

Yes, I know that, but "one way cryptographic algorithm" has more oomph

[vixay]

I did not know what a rainbow table was. Now i do.
you learn something new everyday!
Here's a link for the inquisitive!

http://en.wikipedia....g/wiki/Rainbow_table

f0dder though seems like you've had experience in this. How would you use a hash to bypass a password? That was implied in one of the earlier posts, that having the hash is as good as having the password.

[f0dder]

f0dder though seems like you've had experience in this. How would you use a hash to bypass a password? That was implied in one of the earlier posts, that having the hash is as good as having the password.

-vixay (November 05, 2007, 04:42 AM)

It depends on how it's utilized. But consider a solution where you enter your passphrase, but instead of sending the passphrase to the server for validation, a hash of the passphrase is sent. This could be done "for security", to avoid having your passphrase being transmitted, and thus be snoopable. With that method, you can still snoop the hash though...

Another method is to send a hash of (session-unique-data + passphrase), which APOP/CRAM-MD5 does, that's pretty nice and means people will never see your passphrase, you cannot simply use the hash, etc... but it also means the passphrase has to be stored plain-text (or encrypted but with auto-decrypt which is essentially the same level of security as plaintext) serverside.