Hello,
I curretly have a password that gets used for something and what i have also done is used a script for use with that password, to make something easier. What the script does is check that the password the user inputs is the same as the correct and required password. Now what my script does is pull in the password inputted from the user sha1sum's it and compares it to the already sha1sum'd password, if the hashes are the same then the password is the same obviously, in which case the user will be able to get the access to the application the password the user entered was passed to. However if an attacker got on the box i know for sure its not overly difficult to take the hash if they find it and then get the real password as this is going to be a production box soonish, then my question is this, is it harder for someone to crack the sha1sum encryption to gain the origional password if i made the script create the password with sha1sum then re-create with the output of that another password and then with that rehash again and create again another hash, therefore it gets encrypted say how ever many times over i set the loop for and then i'm guessing it would be much much harder to get the original password, yet i can easily compare the hashes still when the user inputs the origonal password into my program by doing exactly the same to it and then comparing the hashes again.

would this increase the level of difficulty if someone gained the hash of the password or are there things that still make it very easy to get???

Thanks regards
Mark

SHA1 is not really that secure in the first place. It is still outside the realm of practical threat (I.E. you would still need a distributed effort to crack a SHA1 hash), but once one weakness is found more tend to follow. It is not completely inconceivable that SHA1 might at some point become easily and quickly crackable.

Since the attacker would have access to the hash here (you seem to indicate it is just sitting somewhere on the filesystem), then you are technically at risk of an attack. If you could block users from accessing the hash directly, then you should have nothing to worry about (relatively speaking).

That said, I am not sure of the effects of "nesting" the hashed passwords into each other. Logically it should increase the amount of time/difficulty required exponentially, but I don't know for certain if that is how it would actually work in the real-world.

Thanks for the reply, yes thats exactly along the lines i was thinking and it would be great to get an answer for it. As it is its pretty secure already the fact its only allowed access through root so anyone would have to get to the root access before even having a chance of getting to the hash then its a custom program so its not expected to be there so they would only find the hash in the first place if they happend to come accross it inside a file. So its already pretty secure but of course you never know the thing is if they did find it then unhashed it it could allow access to four other boxes but still with difficulty, so yes its already pretty secure and there's only so far you can go of course but i was just wondering about my earlier question as i could quite easily nest the hash several 1000 times and logically you would think it would make a difference however knowingly i haven't a lcue so if anyone knows it would be cool to know!!!

Cheers Regards

Does nobody have more information on this, i mean i know about john the ripper, but that would find it very difficult to crack a password hash made up of a password hash thats so long imagine it having to do that 1000+ times would take for ever if it could even get it in the first place cos its only a brute force style attack, i'm asking if there's anything that could unlock it once and then be able to unlock it again and again as many times as required much much faster?? I'm guessing probably not as how would a program know when its finally got to the final password? So surely that must be hugely secure isn't it???