On Mon, Jun 19, 2017 at 08:02:28AM -0700, stan wrote:
> That works as long as the website isn't hacked. If it is,
even if the
> passwords are hashed (which they often aren't), the hash can be
> cracked if the password is weak.
How? Don't the attackers have to know the password hashing algorithm to
do that? If they have enough penetration into the system to know that,
There are only a handful of commonly-used cryptographically-secure
hashes which are likely to be used, and they're relatively easy to
narrow down simply by looking at length. Or, if they're stored like
they are in /etc/shadow, the entire string actually includes an
identifier for the hash.
If the passwords are hashed in a non-standard way or with some made-up
thing... there's probably something wrong that a skilled attacker can
exploit. (Rule one of crypto: don't write your own crypto.)
--
Matthew Miller
<mattdm(a)fedoraproject.org>
Fedora Project Leader