Page 21 - 11Cyber
P. 21
able to tell the function used to create a hash, it's im-
(Continued from page 20)
possible to reverse that function and generate the
your password. A common hash function is md5(), password. In fact, it's so hard that trying millions of
which returns a 32-character string from any input. combinations to try and produce the same end result
Below are a few examples of what a hash looks like: (a brute force attack) is typically quicker than the cal-
culations required to reverse the hashing process.
md5(helloworld) = (The Humpty Dumpty Rule: You Can't Uncrack the
fc5e038d38a57032085441e7fe7010b0
scrambled egg in the HASH, more about that later)
md5(hell0world) = Einstein Expects Results
0a123b92f789055b946659e816834465
As mentioned in item 3 above,
md5(g84js;l238fl-242ldfsosd98234) = we expect to get the same re-
42e7862f4ad5225471866d2023fc4cca#
sults for a given string every
md5(helloworld) = time. To get anything different
fc5e038d38a57032085441e7fe7010b0 would be crazy. That is what
we count on for this concept to
work, and we will also see later
The Recipe for Hash why it can be dangerous if you use a short password.
From the examples above, notice these things are So, let's follow the steps in a normal log-in.
always true; they are in every recipe:
Step 1 – A user visits a new site, fills in a form to cre-
1. Small changes matter a lot – Take a ate their username, uses a given default, and then
look at examples 1 and 2. Just one digit creates a password.
has been altered, from an "o" to a
"0." (OH to ZERO.) This is a very small Step 2 – That password is put through a hash func-
change, and yet the second output is un- tion, and the hash is stored in the company database.
recognizable from the first. Step 3 – Later, when a user logs in, they enter their
password.
2. The output length never changes –
The input in example 3 Step 4 – That entered password is run through the
is considerably longer same hashing function as was used before.
than the other examples, (Continued on page 22)
yet it produces an output
of the same length (32
characters). You could
input an entire book into
the md5() hash function,
and you would still get a
32- character string as the output.
3. Repeatable – An input will always give
the same output when hashed using the
same function. If this weren't the case,
they would just generate a random out-
put, which would be useless for pass-
words. (I included the same function in
example 1 as example 4 just to see if you
were paying attention.)
Hard to reverse – Even though a hacker may be
Cyber Awareness Bulletin 21 October 2021
