On Mon, Jun 19, 2017 at 08:02:28AM -0700, stan wrote: > > That works as long as the website isn't hacked. If it is, even if the > > passwords are hashed (which they often aren't), the hash can be > > cracked if the password is weak. > How? Don't the attackers have to know the password hashing algorithm to > do that? If they have enough penetration into the system to know that, There are only a handful of commonly-used cryptographically-secure hashes which are likely to be used, and they're relatively easy to narrow down simply by looking at length. Or, if they're stored like they are in /etc/shadow, the entire string actually includes an identifier for the hash. If the passwords are hashed in a non-standard way or with some made-up thing... there's probably something wrong that a skilled attacker can exploit. (Rule one of crypto: don't write your own crypto.) -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
