... darkrealms ...

Forums before death by AOL, social media and spammers... "We can't have nice things"

alt.privacy

Discussing privacy, laws, tinfoil hats

112,125 messages

[ << oldest | < older | list | newer > | newest >> ]

Message 111,222 of 112,125

Borax Man to cal@invalid.com

Re: Why does one need a 'strong' passwor

26 Apr 25 11:13:50

   From: rotflol2@hotmail.com   
      
   On 2025-04-22, cal@invalid.com  wrote:   
   > On Tue, 22 Apr 2025 15:18:09 +0200, Stefan Claas    
   > wrote:   
   >   
   >>cal@invalid.com wrote:   
   >>>   
   >>> If a hacker hacks one's mail site and gets one's password, what   
   >>> difference does it make if that password is weak or strong?  Either way,   
   >>> the hacker gets it from the hacked e-mail site.  He then has access to   
   >>> the e-mail account no matter what the strength of the password was.   
   >>>   
   >>> What am I not understanding about the necessity for the need of a   
   >>> 'strong' password - or passphrase?   
   >>   
   >>Passwords are usually hashed when stored on the server. There are big   
   >>hash tables on the Internet available and tools like hashcat or John   
   >>the Ripper try to crack those hashes. If a password is simple and   
   >>not long enough those tools do not need long to find your weak password,   
   >>due to  weak entropy. Read more about password entropy and you get the   
   >>idea.   
   >>   
   >>HTH   
   >>   
   >>Regards   
   >>Stefan   
   >   
   > Okay, they do not see the password itself.  They see a hashed version of   
   > it.  So, weak password = weak hash.  Got it.  I thought they saw the   
   > password/passphrase itself.   
   >   
   > That Rainbow dictionary stuff is why I do misspell some words in my   
   > passphrase.  I do also use some numbers and a simple punctuation mark.   
   > Now I now why I have to go to all that trouble.   
   >   
   > Thanks for  answering.   
      
   There are no weak hashes per se.  Each hash is in theory as secure as   
   any other, in that you can't reverse engineer the original password from   
   the hash.  But if you've already hashed all the words in the the   
   dictionary, if someone else has just used a single dictionary word,   
   you'll find a match quick.   
      
   You can "salt" the hash, adding some random data to the original   
   data/password when you hash it, so the final hash comes out different.   
   This way even if two people use the same password, the random 'salt'   
   added means they have completely different hashes, hiding the fact their   
   passwords are the same.  I implemented this in some software I wrote a   
   while back.   
      
   --- SoupGate-DOS v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)

[ << oldest | < older | list | newer > | newest >> ]