Viewing a single comment thread. View all comments

Treacherous_Peach t1_iwp3pwy wrote

Wouldn't any solution be sufficient? Don't most places use the same hashing algorithms? So who cares if you got a different password from the real one, it will probably still work on other sites too?

5

calcopiritus t1_iwp4k5e wrote

To "break" a hash yes, any solution is sufficient. However, getting 1 of those solutions is still really hard. In this case the total amount of "hashes" is 3: either 0, 1 or 2. Real hashing algorithms have many more possible hashes.

It won't necessarily work in other sites for 2 reasons.

  1. "1234" and "7463" might generate the same hash using algorithm X, but it probably won't using algorithm Y. If 2 sites use different algorithms, you have to know the actual password. EDIT: I just saw you mentioned this, but it's still interesting to point out.

  2. Just hashing a password is bad practice for exactly this reason, so the recommended technique is doing hash+salt. That means every site generates a random "salt" for every user, and adds it to the password before hashing. So the password for site X is actually "1234jdyendi" while in site Y is "1234udnfki". Although you type the same password in both sites, it's actually a different one from an attacker POV, you need to know "1234", any other solution won't work for both sites.

3