Understanding and cracking salted sha512 hashes

ubuntu hash salt password-hash
10,493

Solution 1

  1. In your example the salt is YiP34XiXdXyh9fZn (base-64 encoded).

  2. Yes, in this case salt protects only against rainbow tables.

  3. SHA512 still secure now. Attacker need a password list.

Solution 2

this post is really old but i want to correct this anyway.
Its not only for rainbow table attack but also for common attacks against whole databases.
an attacker who capture an pw database wouldn't be so dumb and attack every hash separately.
He will attack them all at once.
so he has to calc for example while doing a dictionary attack every hash only one time and can then compare it with all the hashes from the db.
with random salt he has to calc every hash for every pw individually.
this would be slower almost by a factor of the number of hashes.
salted big databases are much harder to attack then plain hash dbs.

Share:
10,493
user1616244
Author by

user1616244

Updated on June 04, 2022

Comments

  • user1616244
    user1616244 almost 2 years

    On Ubuntu 12.04 I created several users and passwords, then promptly proceeded to try to crack those passwords with John the ripper. One password is very strong, but the others are in my wordlists.

    John is still running, but I've got two cracked so far in about 20 minutes.

    Everything I read talks about whether the salt is known or not. Take this hash for example:

    john:$6$YiP34XiXdXyh9fZn$JrbLMb.VGncFzEyBlz5YsKUim.UE5JLPvFhfcgAH4lz.usOrh.lic8IrQx0PRMIvIIIK4KnaTs9fiEXwNOLJ1/:1003:1003:John,,,:/

    The salt is: 

    YiP34XiXdXyh9fZn

    , right? I mean, isn't it always known? So a salt really doesn't do anything but protect against using rainbow tables, right?

    Also, there is this post:

    How long to brute force a salted SHA-512 hash? (salt provided)

    According to that, a sha512 essentially cannot be cracked at all unless the password is in a wordlist. That post is about a year old, anyone have any new insights? I'm finding it difficult to find good resources about cracking hashes; all the information out there is about generating hashes and protecting passwords.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Best Practices: Salting & peppering passwords?
Storing passwords with sha1 and salt
Why can bcrypt.hashpw be used both for hashing and verifying passwords?
Hash 'hashcat': Token length exception
how do I create a mySQL user with hash('sha256', $salt . $password)?
How do you turn on password hashing (SSHA) in openLDAP
[Sql-Server]what data type to use for password salt and hash values and what length?
PHP salt and hash SHA256 for login password
Password hashing, salt and storage of hashed values
How do I generate a SALT in Java for Salted-Hash?