Discover which cryptographic techniques are used to protect passwords. In this video, Lisa Bock discusses some of the ways black-hat hackers are able to determine a user password. Learn about hashing, a cryptographic technique for obscuring plain text password. Explore rainbow table, and ways to reverse lookup a hashed value.
- [Voiceover] Password management is used by an operating system to protect the integrity and confidentiality of the passwords in the system. In most cases, the hash of the password is generated, and then stored in a file. The password is discarded. But let's talk about hashing and cryptographic functions. We'll talk about encryption versus hashing. Encryption uses a key, or pair of keys. When we encrypt a message with a key, we can decrypt the message as long as we have the key.
In this example showing symmetric encryption, we see the plaintext, the shared secret, the encryption algorithm, and that becomes cyphertext. To decrypt, we take the cyphertext, the same shared key, and encryption algorithm, and that converts back to plain text. However, hashing is a one way cryptographic function. You cannot generate the original message from the hash.
We use a hash value in a number of different applications. Including authenticating a message, monitoring data integrity, and storing passwords. There are several hash algorithms, but two popular algorithms are Secure Hash Algorithm, or SHA, this generates a hash value of 160 bits. Or Message Digest Algorithm, or MD5.
This is widely used cryptographic hash, which produces a 128-bit hash value. Let's take a look at what happens to some text when I use the hashing function. I'm at this webpage FileFormat, and I'll just put in jasper to create a hash value. I'll ask for the hash. Now, we'll scroll down and here we can see a variety of hash values, including MD5.
So, what happens when a user enters their password and it's stored? Well, a user goes in and creates a password, a hash is generated, and then stored in the system. Here we see a list of passwords and their hash value. When the user goes in again, and enters their password, that hash value is generated, and then it is compared to the stored value. If it's a one to one match, you'll be authenticated.
If the hash values don't match, the password you entered will be rejected. Rainbow Tables are a database of many hash-password pairs. Rainbow Tables can be enormous, and they can be generated online, or you can even make your own. You can generate all combinations of alphanumeric characters, and then hash the results and store it on a file for future use.
I'm at this website, project-rainbowcrack, and here you can see a list of Rainbow Tables that they've generated. Some of them are very very large. Let's take a look at how you can make a stronger password, and try to beat a Rainbow Table. Now, one of the things I've gone to is onlinemd5. I'll scroll down here and it offers an opportunity to generate a hash value. I'll, again, type the word jasper and there is the MD5 hash value.
I'm going to select that and copy it. I'll go to this website here that does a reverse hash look up. Now, I'll put the hash value and ask for it to reverse. Here you can see that it has come up with the result jasper, which is correct. Understand, it didn't undo the hash value, it simply did a look up in the Rainbow Table to come up with the word jasper.
I'm back to this webpage here, and in this I'm gonna put a different string, mattpeterson. Again, I've calculated this hash value. I'm going to go back to this webpage, and I'll ask to reverse it. In this Rainbow Table, there was no MD5 value that was a match. So, you can see that making a little stronger password might foil a Rainbow Table.
These tutorials, along with the other courses featured in the Ethical Hacking series, will prepare students to pass the Certified Ethical Hacker exam and start a career in this in-demand field. Find out more about the exam at https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/.
- Acquiring passwords
- Generating rainbow tables
- Understanding where passwords are stored
- Defending against privilege escalation
- Understanding spyware
- Protecting against keylogging
- Detecting steganography
- How hackers cover their tracks