OK, I did say "outside the NSA"xb12s wrote:From the article it looks like the NSA is looking for the "salt", the algorithm, and the hash and they can come up with the password in a matter of minutes.sjfcontrol wrote: If the internet company knows what it's doing, they will be unable to comply with this request, as they don't know the passwords. All that is stored is a "hash" of the password. When the user logs in, he enters the password, which is passed thru the hash algorithm, and compared with the stored hash value. If it matches, the user is logged on. So the only thing the company stores is the hash, and there is no way (well, outside of the NSA, anyway) to recreate the password from only the hash.
But modern computers, especially ones equipped with high-performance video cards, can test passwords scrambled with MD5 and other well-known hash algorithms at the rate of billions a second. One system using 25 Radeon-powered GPUs that was demonstrated at a conference last December tested 348 billion hashes per second, meaning it would crack a 14-character Windows XP password in six minutes.
By the way, if they have the power to brute-force passwords, they don't need the "salt". Salt is used to prevent password 'collisions'. Presume we both are married to women named "Mary", and use our wive's name as a password. If I have access to the file of hashed passwords, I can search for accounts that have the same hash as my account. I'll find your hash matches, and I'll know your password. With salt, everybody gets a random sequence "sprinkled" into the algorithm and my hash will then differ from yours even though our passwords are the same.
All this just goes to prove that passwords are an outdated (and out-technologied) concept. For true security we should all be using public/private certificates to prove our identities. Lets see them crack that in 6-minutes (unless, of course, the NSA has had the developing companies insert back-doors).
By the way, is the NSA brute-forcing passwords in their "high-performance video boards"?
