hashing

#1
Guest_h4x_*

Posted 11 October 2009 - 09:52 AM

Guests

lets take an example, md5.
hash is 32 bytes each with 16 states, form 0 to 15.

so we have 16^32 hashes avaiable, and that gives (i skip internal details of md5 because they doesnt matter here, for this reason few /bilion/ hashes might repead and other be missed but its about propability, so that doesnt matter really.) 256^16. 256 is the ammount of byte state, and 16 is number of them
we have 16 bytes, wich will produce all ammount of hashes. As is said, we skip internals, some might be off, and some multiple.

What does it mean? Well, nothing. I always wondered whats the purpose of hash. I still dont know. But, this proves that no matter how long your password is al lit takes its rainbow table for 16 bytes, wich i belive is already generated by supercomputer.

I want to discuss here about whole purpose of hashing, because i dont see one.

#2
WingedPanther

Posted 11 October 2009 - 02:20 PM

A spammer's worst nightmare

Moderators
16,831 posts

This is why it is recommended that you use a stronger (longer) hash than MD5 for storing passwords. SHA-512 comes to mind.

The purpose of a hash is to store a non-unique "signature" where a small change in the source will produce a drastically different "signature". MD5 is still useful for things like verifying file integrity when downloading a large file, or ensuring the file hasn't been manipulated maliciously, but for anything important it should not be used. SHA-1 and SHA-2 do the same thing, but with less chance of collision.

Programming is a branch of mathematics.
My CodeCall Blog | My Personal Blog

#3
Guest_h4x_*

Posted 12 October 2009 - 04:41 AM

Guests

Quote

MD5 is still useful for things like verifying file integrity when downloading a large file

if bigger file it has more change of collision.
propatility talls, that adding half of 256^16 any byte at the end will repeat itself.

and passwords?
16+ char pass is rare.
and to guess it you dont even need to consider all byte states.

hash = compression done by idiots. but that is my opinion of course.
you may ask, how to store passwords in database?
as plain text. if someone is stupid enough to use same password elsewere, he will have hiss lesson.
and if hacker get database it really doesnt matter if he will just read a password or break a hash using botnet.

Anyway in my opinion hashing is useless.
Waste cpu clocks, and can be hacked.

#4
WingedPanther

Posted 12 October 2009 - 08:27 AM

A spammer's worst nightmare

Moderators
16,831 posts

h4x, I'm glad you aren't writing any web apps. What you've just said here is profoundly ignorant. MD5 is not a good choice for storing passwords, but SHA-512 is.

Programming is a branch of mathematics.
My CodeCall Blog | My Personal Blog

#5
Guest_h4x_*

Posted 12 October 2009 - 10:25 AM

Guests

Quote

h4x, I'm glad you aren't writing any web apps.

ya sure?
what makes you think i dont own all websites you use every day^^

Quote

What you've just said here is profoundly ignorant.

and you lack any imagination. and reason.
whats the point of hashing pass?
if someone get it so he will be unable to use it.
ok, but how does someone get this password? he will either get into your system, or make sql injection.
oh wait, sometimes cookie also hold the hash, so add xss to the list.
if i get into system, i can do pretty much.
like adding php code to write into file password of every user when they login.
if i can use sql injection we have 3 scenarios.
mssql - look previous scenario
pgsql - i can replace admin hash (saving old), go to panel, propably escalate from there to replacing php file or adding script to site.
mysql - if well configured, i can only read hash. okay i would have problems here, but i might think of solution. or crack hash.

no matter what hash u use, its useless!
password must be either encrypted, or not protected at all.
by encryption i mean:
asymetric
key stored by client
encrypted pass stored in database

but anyway, whats the point.
unique password for 1 web and ur safe.
you all show ignorance, every time im gettin into someones server and get passwords (one way or another) im overwhelmed with all emails wich i can use to access many many more.
well, good luck, and dont forget!
im

Quote

profoundly ignorant.

#6
TkTech

Posted 12 October 2009 - 10:39 AM

The Crazy One

Moderators
1,396 posts

Quote

what makes you think i dont own all websites you use every day

Because you're a genuine moron.

#7
WingedPanther

Posted 12 October 2009 - 11:35 AM

A spammer's worst nightmare

Moderators
16,831 posts

If you can crack a SHA-512 hash, I'll be very impressed. Anyone who passes the hash of a user's password in a cookie is an idiot.

Programming is a branch of mathematics.
My CodeCall Blog | My Personal Blog

#8
Guest

Posted 12 October 2009 - 06:46 PM

Writes binary right handed and hex left handed

Members
3,414 posts

Also, it is much more secure if you salt your hashes. (Usually with a random salt)
That makes rainbow tables useless.

Root Beer == System Administrator's Beer
Download the new operating system programming kit! (some assembly required)

#9
TcM

Posted 14 October 2009 - 03:40 AM

Writes binary right handed and hex left handed

Members
11,147 posts

I agree.

h4x seems like another Methodz person lol (if I remember that nickname properly) then just gets banned lool

#10
MeTh0Dz

Posted 15 October 2009 - 01:59 PM

Writes binary right handed and hex left handed

Members
2,119 posts

TcM said:

I agree.

h4x seems like another Methodz person lol (if I remember that nickname properly) then just gets banned lool

He seems nothing like me actually, but thanks. He is claiming that hashing is worthless which makes zero sense.

#11
TkTech

Posted 15 October 2009 - 06:13 PM

The Crazy One

Moderators
1,396 posts

h4x is nothing like meth0dz, who, while stubborn, was not a complete and utter moron. Although, I have had the pleasure of banning both h4x and meth0dz on separate occasions >:3