Posts

Showing posts from March, 2010

Seasoned Authentication

Image
Lots of systems that employ user authentication obscure users' passwords using a hashing routine such as MD5 or SHA1, which produce hash strings of 32 or 40 characters respectively. These hashing algorithms are one-way only, so although the MD5 of 'My Password' is '14ddb8585ddfc6c4670b9c18aed1fe8b', there is no way to return 'My Password' by running code against '14ddb8585ddfc6c4670b9c18aed1fe8b'. However, most users do not use particularly secure passwords, so if a cookie containing a hashed password is stolen, the thief may be able to bombard the hash with the MD5 hashes of dictionary words in order to find one that matches. MD5 runs extremely quickly, and a modern computer can perform millions of these comparisons every second. Rainbow Tables Even if users use secure passwords, it is possible to work out what the original password may have been by using a rainbow table . This is look-up table that store the hashed values of vast numbers of plain-