Password hashing –

If the password is plain, using a network monitor tool can ‘snip’ it out.

Unix has salt, Windows does not.

As a result it is easy to guess the password. Even though the algorithm is strong, they will always encrypt to the same if password is the same. Also you can ‘guess’ the password using dictionary attack or brute force attack.

Microsoft Password Hashing

Microsoft performs two types of password hashing:

  • Windows hashing
  • LANMAN hashing

Windows hashing takes your password and converts it to Unicode. Unicode is a means to provide a unique number for every character regardless of the platform or language. Thisprovides universality to software engineering, where developers can write a program or web page in one language using Unicode and have it easily viewed by readers in other languages. For example, the code 0041 is the capital letter A.

After the password is converted to Unicode, an MD4 algorithm is run against the Unicode string to compute a hash value. The MD4 algorithm takes the string and extends it by adding a single 1 bit followed by a number of 0 bits so that its length in bits is 64 bits short of being a multiple of 512 (448 modulo 512). Next, the first 64 bits of the original Unicode password are added again to equal a number divisible by 512. Four variables are then used in an algorithm against the new value, resulting in a hash value.

UNIX Password Hashing

UNIX passwords are more secure than their Windows counterparts. With UNIX systems, salts are used to generate random values when encrypting the password. Passwords are encrypted using DES.

Just running the algorithm once does not provide much security, so UNIX systems run the DES algorithm 25 times. The password is encrypted first with a 64-bit variable of all zeros. The output, combined with a random salt value, is used as input when running the algorithm the subsequent 24 times. Figure 9-4 demonstrates how DES encrypts a password.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s