Password -> H(password) -> A string of fixed length
Hash Functions & Threads
– We assume a one-way property for hash functions
– If we know common passwords, we can determine their hash
– For dictionary and offline attacks, we have hash values and plenty of time to test for matches
Brute Force Guessing of Passwords
– Publicly available software can do 10^8 MD5 hashes/sec on a GPU
– Six random upper case/lower case/digits then 62^6 possible passwords, about 10 minutes
– Eight random characters increases it to about six days
Passwords are not really random
To reduce the work required for a brute force attack:
– Try the popular passwords first
– Create a rainbow table
– Add a random salt before hashing
– Store the salt with the hashed value
– Check by using the salt with the typed password
Brute Force Guessing of Passwords
User ID, Salt, Hash code