Friday, June 08, 2012

Philosophical passwords

I've been amusing myself on this site finding out what passwords people used to access the compromised site LinkedIn. Type in a password of choice, such as 'moonshine', and the page computes a 'hash' for that password, then sends the hash to the server database to see if it is there. Hashing is a very clever algorithm which converts a string of letters, i.e. your password, into a long alphanumeric code – the hash. The clever thing is that even if an attacker knows the hash code, and knows the hashing algorithm, they cannot in theory reverse engineer the hash and discover the original password. The algorithm is a so-called 'trapdoor function' that lets you go one way, but not the other. That is, you cannot compute the inverse of the function, even when you know the function.

In theory, that is, because if you choose a simple dictionary word or even a combination of simple dictionary words, it is easy to run a 'brute force' program that hashes every single simple dictionary word, or combination, until it finds a hash that matches. E.g. the SHA1 hash for the word 'moonshine' is befa39749509fd9ab56743e14f9d68d843ea4038, which if you Google it returns any number of sites that managed to crack it.

Testing for philosopher names I see that 'Aristotle' and 'Wittgenstein' and even 'BertrandRussell' were chosen passwords for LinkedIn members. Even, gasp, 'Animaxander'. However 'WilliamOckham' and 'DunsScotus' were not, although a Google search for their hashes shows that one clever site managed to crack them.

The hash for 'consciousness' is e02c4a06f389ccdd0f5682e257af382928ce3110

Do I use philosophical passwords? No.

3 comments:

Anthony said...

Heh, that's fun...

abcdef
abcdefg
abcdefgh
abcdefghi
abcdefghij
abcdefghijk
abcedfghijkl
abcdefghijkl
then it skips to
abcdefghijklmnop

123456
1234567
12345678
123456789
12345678910
then it skips to
12345678910111213

Edward Ockham said...

So you amused yourself for hours, then.

Anthony said...

Nah, tens of minutes. :)