I didn’t quite get to finish my post yesterday, so I took a few
moments to do a bit of homework; here’s what I found, I decided to do a
real world test, and attempt to look up a few commonly occurring
passwords I’ve seen here in my organization; so I took ten proper names
and words and used them as reference material (I won’t list all of them
here, but as examples here are three):
– 72a97fb793d496318518aebc7e9298b2 -> the "serial" number for "cowboys" (I’m a Dallas Cowboys fan).
– dfeaf10390e560aea745ccba53e044ed -> "cisco"
– 9924a057edc46fa6c7ac87a7b1771d4f -> "altoids"
I generated the hash values, entered each of the values into Google
search, and the all knowing google returned the password for each. In
fact, out of the 10 "serial" numbers I entered, I found *7* passwords,
including at least 2 I wasn’t expecting to find because of uniqueness!
I don’t mind saying that this was a little frightening. Now here’s a
tip that will help at least minimize the probability of finding the
passwords in Google.
All of the words I used were proper names or words right out of the
dictionary (randomly selected). When I added a random number or
character, e.g. I added 20071001 to cowboys to come up with
cowboys20071001, (that hash value is 2810ea90c3101fadbaba8748f5b34902,
btw), I didn’t find the password, in fact, when I added random number
numbers or characters to any of the passwords, I didn’t find *ANY* of
them.
Adding randomness to passwords is a technique called "salting," and
is used to strengthen the security of passwords. Typically "salting"
occurs on the system side after the password is stored on the host
system, but you as a user cannot guarantee that the system "salts"
passwords prior to hashing them. Adding the randomness to your
passwords on your own, while not a panacea, goes a long way to
eliminating the risk of the kinds attacks listed in yesterday’s post.
— Excuse me, my password tastes a bit bland, would please pass the salt? —