Top Mud Sites Forum - View Single Post

silvarilon · 06-09-2010, 06:44 AM

I haven't been keeping up with the field, but off the top of my head I'd mention LanMan hashing, which is what older versions of windows used for user passwords. It's a DES cypher, but has weaknesses that allows it to be reversed. So not secure.

But that was discovered a while ago. Newer versions of windows have it turned off by default. Which is what I mean by weaknesses being found but getting fixed "behind the scenes." And yes, this was discovered many years ago. I just haven't been keeping up to date, and because of the significance of LanMan it stuck in my mind.

Looking for something more recent, I easily find reference to MD5 weaknesses that allow you to create false domain certificates (and I note that MD5 is a popular hash that is still in use.)
But you knew MD5 had weaknesses, as you mentioned yourself.

Well, they can be exploited in various ways. But you're right, it's taken a long time for any significant weaknesses to be found. But that's the reason that MD5 is in such common usage. The algorithms that quickly have problems don't make it into such widespread circulation.

I'm not saying *all* hashes have weaknesses. I'm just saying that new weaknesses to hashes are being found with surprising regularity. And I *did* say that most of the weaknesses were subtle and hard to exploit.

Mmmm, I did. I made that comment more for the people that might think a statement like "there are weaknesses found" means that their passwords will all be grabbed and the sky will fall.

Hashing is an important part of password management, but whether weaknesses in the hashes are important depends on what the attacker is doing. And you're right that in most cases, even if there is a weakness, the attacker won't be able to do anything significant with that weakness.

Aha! Yes, we were looking at the search spaces differently. I was looking at the search spaces in all cases as standard brute force guessing.

Once we add dictionaries, then it's different. But if we're looking at the search space of dictionary attacks, well... your password isn't going to come up in it at all.

Yes, if we look at dictionary words, and add special characters to the end, then the search space is significantly reduced.

I was misunderstanding how you were calculating the search space.

Until quantum computers arrive, it's not going to change significantly.
Last I heard, quantum computing managed to linearly find the roots of 15. Sure, we can all do that in our heads, but if they can manage to scale that to linearly find the roots of arbitrary numbers, then the entire foundations of modern crypotgraphy will have to be rethought. Until that day, though, I doubt we'll see any real change.

About the most exciting thing to happen was PGP, and even that's old news now...

06-09-2010, 06:44 AM	#11
silvarilon Member Join Date: Dec 2009 Posts: 144	Re: Passwords I haven't been keeping up with the field, but off the top of my head I'd mention LanMan hashing, which is what older versions of windows used for user passwords. It's a DES cypher, but has weaknesses that allows it to be reversed. So not secure. But that was discovered a while ago. Newer versions of windows have it turned off by default. Which is what I mean by weaknesses being found but getting fixed "behind the scenes." And yes, this was discovered many years ago. I just haven't been keeping up to date, and because of the significance of LanMan it stuck in my mind. Looking for something more recent, I easily find reference to MD5 weaknesses that allow you to create false domain certificates (and I note that MD5 is a popular hash that is still in use.) But you knew MD5 had weaknesses, as you mentioned yourself. Well, they can be exploited in various ways. But you're right, it's taken a long time for any significant weaknesses to be found. But that's the reason that MD5 is in such common usage. The algorithms that quickly have problems don't make it into such widespread circulation. I'm not saying all hashes have weaknesses. I'm just saying that new weaknesses to hashes are being found with surprising regularity. And I did say that most of the weaknesses were subtle and hard to exploit. Mmmm, I did. I made that comment more for the people that might think a statement like "there are weaknesses found" means that their passwords will all be grabbed and the sky will fall. Hashing is an important part of password management, but whether weaknesses in the hashes are important depends on what the attacker is doing. And you're right that in most cases, even if there is a weakness, the attacker won't be able to do anything significant with that weakness. Aha! Yes, we were looking at the search spaces differently. I was looking at the search spaces in all cases as standard brute force guessing. Once we add dictionaries, then it's different. But if we're looking at the search space of dictionary attacks, well... your password isn't going to come up in it at all. Yes, if we look at dictionary words, and add special characters to the end, then the search space is significantly reduced. I was misunderstanding how you were calculating the search space. Until quantum computers arrive, it's not going to change significantly. Last I heard, quantum computing managed to linearly find the roots of 15. Sure, we can all do that in our heads, but if they can manage to scale that to linearly find the roots of arbitrary numbers, then the entire foundations of modern crypotgraphy will have to be rethought. Until that day, though, I doubt we'll see any real change. About the most exciting thing to happen was PGP, and even that's old news now...