As studied in class, passwords are stored in hashed form, using particular cryptographic one-way hash functions. This functions are easy to compute but infeasible to invert: given a hash z there’s no efficient algorithm to find a message m such that h(m) is z. Popular one-way hash functions are: sha1, sha2, md5.
Note: sha1 and md5 has been recently shown to be vulnerable to collision attacks. Collision resistance is a different property than being one-way. So, such attacks, are not problematic for what concerns password security.
It is easy to hash passwords “by hand” from the linux shell:
$ echo -n 'pwd' | md5sum | tr -d ' -' 9003d1df22eb4d3820015070385194c8
Explanation:
echo -n 'pwd'
printspwd
omitting the trailing newline;| md5sum
takes the output of previous command and computes md5 hash on it;| tr -d ' -'
removes the trailing' -'
produced bymd5sum
, leaving just the hash
Exercise 1
- Try yourself with other passwords
- Try to run the single commands to see what happens
- Compute the md5 hash of the md5 hash of
let_me_go_to_the_next_level
. In other words compute md5(md5(let_me_go_to_the_next_level
)) . This will give you the password for task 2!