Password Hashing
-
I am a newbie studying for the A+ and I was wondering why password length matters with password hashing if the algorithm creates a fixed length hash regardless?
Thanks in advance!
-
@Morgan-Terveer great question, let's help you out with this.
I have created some hash values (or message digests) from a very common and weak password using a website called: https://www.fileformat.info/tool/hash.htm (I encourage you to use it to test out the concepts in this thread).
The password (text string) that I am going to feed into the hashing algorithm is *P@ssw0rd" (that is a zero). Here are the results:
P@ssw0rd = SHA 160: 21bd12dc183f740ee76f27b78eb39c8ad972a757 P@ssw0rd = SHA 256: b03ddf3ca2e714a6548e7495e2a03f5e824eaac9837cd7f159c67b90fb4b7342 P@ssw0rd = SHA 384: 452dce44057d476ddc14b6515be68b345aae8adc96f9511e36421e9daf5f79389ab08b9e9b62a147718941bca6e312dd P@ssw0rd = SHA 512: dc8305c09db9c1674ac616bd5c7422a45fbb6d0816ac163047c47a1f426f4f4c6b5b5042c671eabc4fdc7310fd5b183eef59dc274604
If you use the same hashing algorithms I referenced, you should get the results that are exactly the same. Note how the fixed length strings get larger as you utilize stronger hashing algorithms (160 vs. 256 vs, 384, vs. 512). That is important when using a hashing algorithm as this produces:
- Larger fixed length values
- Greater range of unique values
- Harder to determine any discernable patterns
As for your question as to why we care about password complexity and length, with these conditions in place the likelihood of uniqueness is greater. Notice that the list above is generated from a common password. You will generate the exact same values using P@ssw0rd. The threat actors in the world have these massive lists of hashes (fixed length values) that stem from common passwords and run them against a system to try and gain access (automated password cracking software).
When a password follows a few characteristics or attributes such as:
Complexity - use all characters sets (uppercase/lowercase, numbers and special characters)
Length - More characters can exponentially increase the computational power required to break the password.This increases the likelihood that the hash values generated from the password will be unique. When this is accomplished, it also increases the likelihood that the hash value will not be in these large lists of password hashes, giving the system a greater defense against password-based attacks.
-
To continue, note that this next block of hash values were created by simply adding a "!" to the end of the password used earlier or P@ssw0rd! (remember that there is a zero):
P@ssw0rd! = SHA 160: 076d3e6c4b9f654b5b220b9045b7458ab6b4cbc6 P@ssw0rd! = SHA 256: 0e44ce7308af2b3de5232e4616403ce7d49ba2aec83f79c196409556422a4927 P@ssw0rd! = SHA 384:4339855eb64e55fa3115e1f2349825c99f2826e98e3f93b6c5d4dbd627de5ef34dbc4c64cb5ca8c35d61d260491a19ac P@ssw0rd! = SHA 512: 9a585872fc4a94ba2fe0f7e9625bcfccc1050dab20b56df35a1c8915a3d8325616c0172284c2f4fe9471667c9c4f1fbdc0d371684caee74cdf9d39d82383a383
Notice how with the addition of a single character every hash value is different BUT is it unique? In this case most likely it is not, however if I have a strong password for example of:
A5d^mZ9sED975sj (created with a secure password generator)
You can see in this password there is:
- All character sets - uppercase/lowercase, numbers and special characters
- 15 character length
This password has a greater likelihood of being unique which is the goal.
We also add
- Password Age - to make sure that after a certain amount of time, you have to change the password.
- Password History - to make sure that passwords cannot be reused, when a password change is required.
All of these attribute requirements for password construction are enforced with policy to help to ensure that passwords are unique. I hope this helps and look forward to hearing from you.
-
@wes-bryan Thank you for taking the time for the explanation and thank you for your awesome courses. Because of your INSANE knowledge, I just passed both tests for my A+. 6 weeks ago I knew absolutely nothing about computers and now I am looking for IT jobs. You guys are awesome and I'm so glad I found ITproTV. I can't wait to start my security+ class next
Thanks again,
Morgan
-
@Morgan-Terveer thank you for the kind words, you can reach out to me at any time!