Well, it’s kinda encryption, basically the same thing that enables blockchain technology - many different inputs can lead to the same output, but figuring out an input that allows a certain output is impossible except by brute forcing. When you have a dictionary attack on a hash function, they’re trying to find the simple word or phrase that gives the right result when hashed. They might luckily come across something that has the same hash that isn’t your password.
Of course, this requires knowing the hash function, so exactly what hash function is used is really the most important thing to keep secret for password systems. Hashes are useless without knowing how they were constructed.
This is not correct. It is very ill advised to create a ‘custom’ cryptographic hash function as you will almost certainly do a poor job which is vulnerable to attack. The industry relies on a small number of well known algorithms, created by experts, which are trusted for exactly the reason that they are not secret yet have not been cracked. Also, it would be risky to assume that your ‘secret’ hash function would remain secret as it would necessarily be stored in the form of executable program code, which could be stolen and reverse engineered.
Industry best practice with regards to storing passwords is to store ‘salted’ hashes. Here a random string is added to the password to ensure that multiple instances of “password123” get hashed to different values because they were combined with different random strings. The random string is then stored alongside the hash so it can be combined with the incoming password again when checking for a match. The defats the easy dictionary attack whereby a hacker would pre-hash a list of likely passwords, then later compare her list of hashes with those stolen from your system and thus revealing passwords of any user who used a password from her list. With salted hashes the hacker must recompute the hashing of their list of common passwords for every hash/random string pair stolen from your system as they will need to combine their list with the random string. This is a LOT more work.
I just found one of these in my spam folder. It would be much more believable if (a) the password wasn’t so laughingly different from virtually everything I use and (b) I actually masturbate at my computer.
Is anyone else getting these recently where the alleged password is something like “jonathan1”?
I’ve gotten several with that “password” (which is wrong, of course) lately. I’m wondering if they are just being sent out with the same password to a million people hoping to scare a few who actually use something like that. I.e., the raindrop effect.
The stated password in mine appeared to be a random character string. There’s only one site on which I was given a random character string for a password with no obvious way to change and it’s certainly not a porn site.