RE: password cracking: one char at a time.

["Clement Dupuis" <cdupuis () cccure org>]

Michael wrote:

> It is my understanding that some algorithms create a hash that allows
> you to use
> the hash to unencrypt the password. With other algorithms it is not
> possable to
> unencrypt the hash to get the original password. Is this wrong?
[Clement says:] 

A hash is not a key and it is NOT an encryption algorithm, in fact there is
no key being used when you create a hash.  You simply put your message
through a hashing algorithm and you get a message digest or a hash value
that represent a fingerprint of that specific message.  The hash is NEVER
use as a key to decrypt.

The hash is used instead of the plain text representation.  This way you do
not send the password in clear text over the network.  The server knows what
hash value correspond to the password being used.  MD5 is often used today
for passwords.  The MD5 hash will be sent and not the cleartext password.

There is still a requirement to use strong password.  If you use small
password of less than 8 characters, it would be possible using precomputed
hash table to find out what is the corresponding password very quickly.

I would suggest you take a look at the following document on my web site:

http://www.cccure.org/Documents/Cryptography/cisspallinone.pdf  
This document has a nice overview of cryptography and has good coverage of
what hashing algorithms are and how they are use.

Also take a look at the crypto section at:
http://www.cccure.org/modules.php?name=Downloads&d_op=viewdownload&cid=9  
You will find everything you ever wanted to know about cryptography.

Take care

Clement