Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MD5 Password encoding, "straight" vs "salted" hashes

from [Noam Eppel] Network Security [Permanent Link]
Subject: Re: MD5 Password encoding, "straight" vs "salted" hashes
Date: Thu, 18 Aug 2005 00:54:34 -0400 

Hello Peter,

To clarify, for the purpose of brevity I didn't include any information about including a random value (salt) into the hash equation.

Certainly, a straight hash is not recommended.

Regards,
Noam

From: Peter Watkins <peterw@usa.net>
To: Oleg Topchiy <edge@ua.fm>
CC: webappsec@securityfocus.com
Subject: Re: MD5 Password encoding, "straight" vs "salted" hashes
Date: Wed, 17 Aug 2005 12:55:47 -0400

On Wed, Aug 17, 2005 at 10:54:20AM +0300, Oleg Topchiy wrote:

> Wednesday, August 17, 2005, 7:52:15 AM, you wrote:

> > If you are implementing a one-way hash correctly, there should be no need to
> > store the plaintext passwords. All that should be stored is the resulting
> > hash of each password.
>
> > For example, if the plaintext password is, "secretpassword" the MD5 hash of
> > that password would be, "31435008693ce6976f45dedc5532e2c1".
>
> > That hash can be stored in the user database instead of a password. The
> > advantage of this is that if the confidentiality of that database is
> > compromised, no passwords will be revealed. There is no feasible way to
> > reverse a one-way hash function to reveal the plaintext password.

> It's true, but if the whole database is comporomised, there is a good
> chance that vast number of the passwords won't stand against even
> dictionary attack, leave alone bruteforce. Although this method
> provides best balance between complexity and security.

"Best" balance? Noam suggested a "straight" hash of the password. Don't do
that. If you're going to store hashes of passwords (good idea), use "salted"
hashes, whether a common standard like BSD's MD5-based crypt() routine, or
something else that at least uses significantly long random salts, if not
also some fairly time-consuming algorithm.

Dictionary attacks against straight hashes are relatively feasible, as only
one hashed value is needed in the attack dictionary for any given password.

Straight hashes also allow attackers to ascertain which accounts have the
same cleartext (MD5 hex of "secretpassword" is always the same value, but
there are 64^8 possible BSD MD5 crypt() encodings of "secretpassword")
-- crack or socially engineer the password for one account, and the
attacker can use the others, too.

Finally, since it's expensive to convert "straight" hashes to "salted"
hashes -- you either have to crack each straight hash or wait for the
user to provide the cleartext [e.g., log in] to determine a valid salted
hash for each straight hash you've recorded -- you don't want to start
with straight hashes for any new systems. Use somebody else's time-tested
salted crypt() routine for storing passwords if you expect the users to
supply cleartext passwords to aythenticate themselves.

Here are sources of relatively free implementations of Poul-Henning Kamp's
BSD MD5 salted crypt that I've had good luck with:

C/ original MD5/salted crypt.c  -  http://people.freebsd.org/~phk/
a CPAN Perl module port         -  http://search.cpan.org/dist/Crypt-PasswdMD5/
and a Java port                 -  ftp://ftp.arlut.utexas.edu/pub/md5/
  // note: the Java port should use SecureRandom for better security

-Peter



[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: MD5 Password encoding, "straight" vs "salted" hashes, Noam Eppel <=
Previous by Date:  Re: Application Assessment, goenw
Next by Date:  Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection), Gary Gwin
Previous by Thread:  IT Security World 2005 ???, Saqib Ali
Next by Thread:  RE: Windows 2003 Server Hardening, Steven Jones
Indexes:  [Date] [Thread] [Top] [All Lists]