• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

How dangerous is it to potentially give away two different hashes of a password?

 
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Knowing only one digest of a password (i.e. MD5) it is almost impossible to get the original String. How much easier is it to get the original in case two digests are known (i.e. MD5 and SHA-1)?
 
Saloon Keeper
Posts: 15510
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Does it matter? Don't use either MD5 or SHA1 to hash passwords.
 
Oleg Shubin
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Which algorithms are better for password hashing then? Anyway, I was asking my question about a general case with generic hashing algorithms.
 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You should be using bcrypt, PBKDF2 or scrypt. Using algorithms like these, your question boils down to: Given two hashes, does some password hash to both of them? These algorithms were designed to make this problem difficult.
 
Oleg Shubin
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you for your awnser, I think what you've meant to say is that even having several hashes of a password does not make it much easier to "crack".
 
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Actually I would say that it is easier: with two hashes there is twice as much of chance that the password will be in a "crack dictionary".
 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Do you mean something like a rainbow table, Bear?
 
Bear Bibeault
Sheriff
Posts: 67746
173
Mac Mac OS X IntelliJ IDE jQuery TypeScript Java iOS
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes.
 
Stephan van Hulst
Saloon Keeper
Posts: 15510
363
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Oleg Shubin wrote:I think what you've meant to say is that even having several hashes of a password does not make it much easier to "crack".


No. What I meant is that, if you use the correct algorithms, your question becomes meaningless.

If my question was "Is it easier to hit nails with a Phillips screwdriver or with a blade screwdriver?" your answer would be "Use a hammer".

Don't use a screwdriver to hit nails into a wall. Don't use a hashing algorithm to hash a password. Use a key derivation algorithm. MD5 and SHA1 are not proper key derivation algorithms. They are susceptible to the kinds of attacks that Bear alluded to. PBKDF2 and bcrypt are not.
 
I'm doing laundry! Look how clean this tiny ad is:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic