Skip to content
January 26, 2010 / zlost

Limitations of Hashing

Don’t Hash Secrets (via). Informative, accessible article that sketches the limitations of hashing, even with a salt.

I’d like to add a few annotations:

An attacker can build up a huge dictionary of hashed passwords just once, and, when he breaks into your web site, check the hashes against this pre-built dictionary.

This set of pre-computed passwords is often referred to as a rainbow table. As the article stated, salting complicates such an attack.

But it’s going to be darn hard for you to find any other document, big or small, that hashes to the same 30 characters.

[…]

In fact, you can try something that should be easier: rather than find another document that hashes specifically to those 30 characters that represent your baby, you can go looking for any two documents that happen to hash to the same thing (collide). And you won’t find any such pair. Promised. We call that “collision resistance”.

More specifically, the first paragraph refers to weak collision resistance, and the second refers to strong collision resistance. If a hash function has the property of strong collision resistance, this implies that it also has weak collision resistance, but not the other way around. In some (most?) applications, including storing passwords, weak collision resistance is sufficient. So it’s worth thinking twice before throwing out your favorite hash function (SHA1) if (when) someone breaks strong collision resistance on it.

Advertisements

One Comment

Leave a Comment
  1. phone internet / Jul 19 2013 6:08 am

    If you are going for best contents like I do, just visit this website all the
    time since it offers feature contents, thanks

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: