By Kurt Seifried (kurt@seifried.org)

Password security largely relies on secrecy, if someone finds out your password you’re generally up the creek. Of course this isn’t news to anyone but I feel compelled to give some background information in order to setup the dominoes before knocking them down.

So if we need something to be a secret, but we need to pass this secret around, and be able to verify that indeed, the correct secret is being sent around what technology can we rely upon? Why good old encryption of course! More specifically one way hashes, data goes in, gets mangled and 1’s and 0’s come out which cannot be used to determine the original password. Well unless of course you take every possible password, hash it and compare it to the value you have. Once you find a match you know what the original password is. Of course one interesting issue here is hash collisions, since a hash generates a value that is finite in length, and generally shorter then all the possible inputs you can get a password that has the same hash value of another different password. More on this later.

As it turns out this type of attack where you simply brute force passwords and store the results for later lookup is surprisingly easy to do in a quick and efficient manner.

(more…)