Precision
asked on
What is a hashed password and/or MD5?
Apparently, Yahoo was hacked and I received a data breach notification to my yahoo account saying:
What is a "hashed password"? What is MD5?
For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.
What is a "hashed password"? What is MD5?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hashed password - in general means password is not in its plain text format. It is obscured such that attempt to reverse the hashed password is non trivial. However brute force to attempt finding the original password may still be possible..typically there should be account lockout to prevent multiple attempts.
MD5 - it is one of the hashing algorithm. It is represented normally in a string making up of 16 HEX decimal ('A' to 'F or '1' to '9') characters. A caution on this algorithm us that it is weak and have been proven brute force is possible.
The more secure mean of storage should mentioned Salted hash and using SHA 2 algorithm. They are a stronger scheme to protect password and add more deterrences to brute force attack.
MD5 - it is one of the hashing algorithm. It is represented normally in a string making up of 16 HEX decimal ('A' to 'F or '1' to '9') characters. A caution on this algorithm us that it is weak and have been proven brute force is possible.
The more secure mean of storage should mentioned Salted hash and using SHA 2 algorithm. They are a stronger scheme to protect password and add more deterrences to brute force attack.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Another nice link with the explanation and more
MD5https://www.theguardian.com/technology/2016/dec/15/passwords-hacking-hashing-salting-sha-2
Originally designed as a cryptographic hashing algorithm, first published in 1992, MD5 has been shown to have extensive weaknesses, which make it relatively easy to break.
Its 128-bit hash values, which are quite easy to produce, are more commonly used for file verification to make sure that a downloaded file has not been tampered with. It should not be used to secure passwords.
But what about the passwords?
If a password is properly hashed using SHA-2 or newer, and is salted, then to break a password requires a brute-force attack.
The longer the password, the longer the brute-force attack is going to last. And the longer the brute-force attack required, the more time-consuming and expensive it is to match the hash and discover the password.
Which means the longer the password the better, but the configuration of the password also makes a difference. A truly random eight-character password will be more secure than a eight-letter dictionary word, because brute-force attacks use dictionaries, names and other lists of words as fodder.
With hashing, reversal generally isn't practical. You will typically find that if you've lost your password, systems can't find it for you; they can just let you create a new one. This is because they don't HAVE your password, just the hash.