short passwords
-
I'm signing up for an Autocad (Eagle software) account and I am warned about my password (being too long because mine is 64 chars): https://i.stack.imgur.com/99w35.png[^] :| But, then, everyone wonders why so many accounts are hacked. :sigh: I don't. At least this one allows 50. Many only allow 15. And, I still don't understand why this would matter if the password is hashed and the company only stores the hash anyways. They shouldn't care how long the password is at all since they would throw it away anyways.
Paraphrased from a short-lived sit-com (circa 1983)... "I once had a colleague whose password was the names of the twelve apostles in reverse alphabetical order... poor fool was always the last to know anything."
-
I'm signing up for an Autocad (Eagle software) account and I am warned about my password (being too long because mine is 64 chars): https://i.stack.imgur.com/99w35.png[^] :| But, then, everyone wonders why so many accounts are hacked. :sigh: I don't. At least this one allows 50. Many only allow 15. And, I still don't understand why this would matter if the password is hashed and the company only stores the hash anyways. They shouldn't care how long the password is at all since they would throw it away anyways.
raddevus wrote:
They shouldn't care how long the password is at all since they would throw it away anyways.
No, they'd save a hash. And those are usually fixed in length.
Bastard Programmer from Hell :suss: "If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
-
I'm signing up for an Autocad (Eagle software) account and I am warned about my password (being too long because mine is 64 chars): https://i.stack.imgur.com/99w35.png[^] :| But, then, everyone wonders why so many accounts are hacked. :sigh: I don't. At least this one allows 50. Many only allow 15. And, I still don't understand why this would matter if the password is hashed and the company only stores the hash anyways. They shouldn't care how long the password is at all since they would throw it away anyways.
They wouldn't store the password but a (fixed size, hopefully long enough) hashed version of it. If the hash is shorter than a "really long" password such as yours, then there will be guaranteed collisions. A brute force strategy would find (possibly multiple) valid password(s) that you did not intend. So in one sense, you are correct that they shouldn't care about password length - longer passwords weaken the answer. But that somewhat becomes your problem not theirs. In the big picture, users of that website should be concerned more about the hash length, but users are rarely privy to that info.
If pigs could fly, just imagine how good their wings would taste! - Harvey
-
They wouldn't store the password but a (fixed size, hopefully long enough) hashed version of it. If the hash is shorter than a "really long" password such as yours, then there will be guaranteed collisions. A brute force strategy would find (possibly multiple) valid password(s) that you did not intend. So in one sense, you are correct that they shouldn't care about password length - longer passwords weaken the answer. But that somewhat becomes your problem not theirs. In the big picture, users of that website should be concerned more about the hash length, but users are rarely privy to that info.
If pigs could fly, just imagine how good their wings would taste! - Harvey
H.Brydon wrote:
If the hash is shorter than a "really long" password such as yours, then there will be guaranteed collisions
Yeah, this is not a concern. The issue with collisions has to do with can you force a collision. So for instance, it's possible to create two completely different PDF documents, both which come up with the same MD5 hash. Obviously this is a problem if using an SSL certificate. But a password, hashed with a current secure hash, you've got as much chance of finding a valid collision with "Password" as you do with "GuessThisReallyLongPassword".
-
I'm signing up for an Autocad (Eagle software) account and I am warned about my password (being too long because mine is 64 chars): https://i.stack.imgur.com/99w35.png[^] :| But, then, everyone wonders why so many accounts are hacked. :sigh: I don't. At least this one allows 50. Many only allow 15. And, I still don't understand why this would matter if the password is hashed and the company only stores the hash anyways. They shouldn't care how long the password is at all since they would throw it away anyways.
My passwords are about a dozen characters long (note how I said "characters", not "letters") and didn't get hacked in either way. Length is nice, yes, but it's not everything.
-
H.Brydon wrote:
If the hash is shorter than a "really long" password such as yours, then there will be guaranteed collisions
Yeah, this is not a concern. The issue with collisions has to do with can you force a collision. So for instance, it's possible to create two completely different PDF documents, both which come up with the same MD5 hash. Obviously this is a problem if using an SSL certificate. But a password, hashed with a current secure hash, you've got as much chance of finding a valid collision with "Password" as you do with "GuessThisReallyLongPassword".
-
Would collisions still occur with salted hashes? It’s my understanding that all password hashes ‘should’ be salted
Salting is something different. The issue is that without salting (aka adding some random data into the password), then it's very easy to reverse hashed but not salted passwords back to plain text using things like rainbow tables. It also stands out if anyone gets hold of the password hashes if default passwords have been used. For example if you see every third account stating it's password is "B2E98AD6F6EB8508DD6A14CFA704BAD7F05F6FB1" it doesn't take long to realise that every user have all entered the same password. In this case Password123. If you want to see a rainbow table in action, do a google search for it, and enter in the above hash and you'll see what I mean. (I won't provide a link, because like all cracking websites, I would suggest being very careful using it, and I'm not willing to post a URL that turns out to be bad). As far as I know, salts can be stored safely with the hash (although I'm all ears if a security person wants to tell me otherwise). Edit - just to answer the actual question: yes, collisions are still technically possible with salted hashes. But again it's not if a collision is technically possible, but rather is there a known way you can cause a collision with two different piece of data.
-
I'm signing up for an Autocad (Eagle software) account and I am warned about my password (being too long because mine is 64 chars): https://i.stack.imgur.com/99w35.png[^] :| But, then, everyone wonders why so many accounts are hacked. :sigh: I don't. At least this one allows 50. Many only allow 15. And, I still don't understand why this would matter if the password is hashed and the company only stores the hash anyways. They shouldn't care how long the password is at all since they would throw it away anyways.
It really doesn't matter a phising trip is more likely the attack vector.
-
It really doesn't matter a phising trip is more likely the attack vector.
How 'bout a password created from characters not on the keyboard? ¬└┴─╞󶧶¬•♀⌐ÅÆôæ Unicode character [codes] based on significant dates, phone numbers, or lottery tickets - easy to remember. Press the alt key, enter the char code... Makes the character pool much larger for brute force attacks. but I think the only real way the make brute force or dictionary attacks unfeasible is a built-in delay, either in each attempt, or a lockout after a preset number of failed attempts. A thousand bots trying a thousand times a second are much more likely to find a password (or hash collision) than only being able to try three times, and then having to wait 30 minutes to try the next. I agree with you - phishing and social engineering are much more likely attack vectors these days.
-Bob
-
I'm signing up for an Autocad (Eagle software) account and I am warned about my password (being too long because mine is 64 chars): https://i.stack.imgur.com/99w35.png[^] :| But, then, everyone wonders why so many accounts are hacked. :sigh: I don't. At least this one allows 50. Many only allow 15. And, I still don't understand why this would matter if the password is hashed and the company only stores the hash anyways. They shouldn't care how long the password is at all since they would throw it away anyways.
> They shouldn't care how long the password is at all since they would throw it away anyways. they shouldn't care how short it is neither
