|
Regarding the reference to Ximenean - I'm in that camp and it's a good one
"I didn't mention the bats - he'd see them soon enough" - Hunter S Thompson - RIP
|
|
|
|
|
I'm reworking a series of books for Russian children – starting with "Winnie the Putin".
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
... and the Capitalist Piglet
... and the Tigger Tanks on the Eastern front
GCS d--(d+) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
I don't know if you vodka about this, but I think I Tzar that in a bookstore.
By the way, do you know where Moscow is? Right next to Pa's cow.
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
And the Russian history book
“In Days Of Eeyor”
If you can't laugh at yourself - ask me and I will do it for you.
|
|
|
|
|
Go back to your animal farm.
Bastard Programmer from Hell
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
Are the next books "Alice in the Gulag" and "Through the Peephole"?
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
I thought Winnie the Poutine was Canadian.
|
|
|
|
|
Would it be fair to call the well attended Flowers Family reunion a "bunch of flowers"?
Hopefully OG has not used this already.
I don't know, I just don't know.
|
|
|
|
|
It's bouquet with me.
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
And what would be the collective noun for the Katz family?
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
If they are all physically large,they would be a Pride of Katz.
Otherwise, they would be a Glaring of Katz.
Lions, and Tigers, and Bears, Oh My!
|
|
|
|
|
If that happened around our joint, it'd either be a collection of Wall Flowers or an Icehouse.
Bit hard to tell really.
|
|
|
|
|
I'm signing up for an Autocad (Eagle software) account and I am warned about my password (being too long because mine is 64 chars):
https://i.stack.imgur.com/99w35.png[^]
But, then, everyone wonders why so many accounts are hacked.
I don't.
At least this one allows 50. Many only allow 15.
And, I still don't understand why this would matter if the password is hashed and the company only stores the hash anyways. They shouldn't care how long the password is at all since they would throw it away anyways.
modified 14-Jun-21 10:34am.
|
|
|
|
|
If a brute force attack is taken to hack an account, the longer the password the more difficult it is to come across. Or so I would think.
Ravings en masse^ |
---|
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein | "If you are searching for perfection in others, then you seek disappointment. If you seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010 |
|
|
|
|
|
Yes, I agree. I should've said, I was warned because mine was 64 chars and they only allow 50.
|
|
|
|
|
Paraphrased from a short-lived sit-com (circa 1983)...
"I once had a colleague whose password was the names of the twelve apostles in reverse alphabetical order... poor fool was always the last to know anything."
|
|
|
|
|
raddevus wrote: They shouldn't care how long the password is at all since they would throw it away anyways. No, they'd save a hash. And those are usually fixed in length.
Bastard Programmer from Hell
"If you just follow the bacon Eddy, wherever it leads you, then you won't have to think about politics." -- Some Bell.
|
|
|
|
|
They wouldn't store the password but a (fixed size, hopefully long enough) hashed version of it. If the hash is shorter than a "really long" password such as yours, then there will be guaranteed collisions. A brute force strategy would find (possibly multiple) valid password(s) that you did not intend.
So in one sense, you are correct that they shouldn't care about password length - longer passwords weaken the answer. But that somewhat becomes your problem not theirs.
In the big picture, users of that website should be concerned more about the hash length, but users are rarely privy to that info.
If pigs could fly, just imagine how good their wings would taste!
- Harvey
|
|
|
|
|
H.Brydon wrote: If the hash is shorter than a "really long" password such as yours, then there will be guaranteed collisions
Yeah, this is not a concern.
The issue with collisions has to do with can you force a collision. So for instance, it's possible to create two completely different PDF documents, both which come up with the same MD5 hash. Obviously this is a problem if using an SSL certificate. But a password, hashed with a current secure hash, you've got as much chance of finding a valid collision with "Password" as you do with "GuessThisReallyLongPassword".
|
|
|
|
|
Would collisions still occur with salted hashes? It’s my understanding that all password hashes ‘should’ be salted
modified 6-Sep-22 21:01pm.
|
|
|
|
|
Salting is something different.
The issue is that without salting (aka adding some random data into the password), then it's very easy to reverse hashed but not salted passwords back to plain text using things like rainbow tables.
It also stands out if anyone gets hold of the password hashes if default passwords have been used. For example if you see every third account stating it's password is "B2E98AD6F6EB8508DD6A14CFA704BAD7F05F6FB1" it doesn't take long to realise that every user have all entered the same password. In this case Password123.
If you want to see a rainbow table in action, do a google search for it, and enter in the above hash and you'll see what I mean. (I won't provide a link, because like all cracking websites, I would suggest being very careful using it, and I'm not willing to post a URL that turns out to be bad).
As far as I know, salts can be stored safely with the hash (although I'm all ears if a security person wants to tell me otherwise).
Edit - just to answer the actual question: yes, collisions are still technically possible with salted hashes. But again it's not if a collision is technically possible, but rather is there a known way you can cause a collision with two different piece of data.
|
|
|
|
|
My passwords are about a dozen characters long (note how I said "characters", not "letters") and didn't get hacked in either way. Length is nice, yes, but it's not everything.
|
|
|
|
|
It really doesn't matter a phising trip is more likely the attack vector.
|
|
|
|
|
How 'bout a password created from characters not on the keyboard?
¬└┴─╞󶧶¬•♀⌐ÅÆôæ
Unicode character [codes] based on significant dates, phone numbers, or lottery tickets - easy to remember. Press the alt key, enter the char code... Makes the character pool much larger for brute force attacks. but I think the only real way the make brute force or dictionary attacks unfeasible is a built-in delay, either in each attempt, or a lockout after a preset number of failed attempts. A thousand bots trying a thousand times a second are much more likely to find a password (or hash collision) than only being able to try three times, and then having to wait 30 minutes to try the next.
I agree with you - phishing and social engineering are much more likely attack vectors these days.
-Bob
|
|
|
|