[ale] unsalted hashes of 6 million linkedin passwords published on the internet
Stephen Haywood
stephen at averagesecurityguy.info
Fri Jun 8 09:16:12 EDT 2012
> I guess I don't quite see this. If the salt is invariably stored with
> the hash this sounds a bit like claiming base64 is a form of encryption.
> The only way I can make sense of this is if the encoding of or
> association between the salt and hash is somehow a system secret. Or if
> you don't know the hashes are salted. Am I missing something?
>
If the passwords were salted then I wouldn't be able to hash the
password "password" and test it against all 6.5 million hashes. I
would have to hash the word "password" with the salt and test it
against the first hash. Then I would have to hash the word "password"
with the next salt and test it against the next hash. This
exponentially increases the work necessary to crack the 6.5 million
passwords. If someone were targeting a single password then it would
make no difference.
--
Stephen Haywood
Information Security Consultant
CISSP, GPEN, OSCP
T: @averagesecguy
W: averagesecurityguy.info
More information about the Ale
mailing list