Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-05-2007, 11:12 AM
|
#1
|
Member
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518
Rep:
|
sha1sum How strong is it and can i change it by...
Hello,
I curretly have a password that gets used for something and what i have also done is used a script for use with that password, to make something easier. What the script does is check that the password the user inputs is the same as the correct and required password. Now what my script does is pull in the password inputted from the user sha1sum's it and compares it to the already sha1sum'd password, if the hashes are the same then the password is the same obviously, in which case the user will be able to get the access to the application the password the user entered was passed to. However if an attacker got on the box i know for sure its not overly difficult to take the hash if they find it and then get the real password as this is going to be a production box soonish, then my question is this, is it harder for someone to crack the sha1sum encryption to gain the origional password if i made the script create the password with sha1sum then re-create with the output of that another password and then with that rehash again and create again another hash, therefore it gets encrypted say how ever many times over i set the loop for and then i'm guessing it would be much much harder to get the original password, yet i can easily compare the hashes still when the user inputs the origonal password into my program by doing exactly the same to it and then comparing the hashes again.
would this increase the level of difficulty if someone gained the hash of the password or are there things that still make it very easy to get???
Thanks regards
Mark
|
|
|
10-05-2007, 11:50 AM
|
#2
|
LQ Guru
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852
|
SHA1 is not really that secure in the first place. It is still outside the realm of practical threat (I.E. you would still need a distributed effort to crack a SHA1 hash), but once one weakness is found more tend to follow. It is not completely inconceivable that SHA1 might at some point become easily and quickly crackable.
Since the attacker would have access to the hash here (you seem to indicate it is just sitting somewhere on the filesystem), then you are technically at risk of an attack. If you could block users from accessing the hash directly, then you should have nothing to worry about (relatively speaking).
That said, I am not sure of the effects of "nesting" the hashed passwords into each other. Logically it should increase the amount of time/difficulty required exponentially, but I don't know for certain if that is how it would actually work in the real-world.
|
|
|
10-05-2007, 12:19 PM
|
#3
|
Member
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518
Original Poster
Rep:
|
Thanks for the reply, yes thats exactly along the lines i was thinking and it would be great to get an answer for it. As it is its pretty secure already the fact its only allowed access through root so anyone would have to get to the root access before even having a chance of getting to the hash then its a custom program so its not expected to be there so they would only find the hash in the first place if they happend to come accross it inside a file. So its already pretty secure but of course you never know the thing is if they did find it then unhashed it it could allow access to four other boxes but still with difficulty, so yes its already pretty secure and there's only so far you can go of course but i was just wondering about my earlier question as i could quite easily nest the hash several 1000 times and logically you would think it would make a difference however knowingly i haven't a lcue so if anyone knows it would be cool to know!!!
Cheers Regards
|
|
|
10-05-2007, 07:13 PM
|
#4
|
Member
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518
Original Poster
Rep:
|
Does nobody have more information on this, i mean i know about john the ripper, but that would find it very difficult to crack a password hash made up of a password hash thats so long imagine it having to do that 1000+ times would take for ever if it could even get it in the first place cos its only a brute force style attack, i'm asking if there's anything that could unlock it once and then be able to unlock it again and again as many times as required much much faster?? I'm guessing probably not as how would a program know when its finally got to the final password? So surely that must be hugely secure isn't it???
|
|
|
All times are GMT -5. The time now is 02:11 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|