I'm following some python book and the author provides an example of using crypt to produce a hashed password. Using the salt+password; and later he mentioned that the same could be done for sha512 using hashlib library. So I tried to use
hashlib.sha512(password+salt).hexdigest()
to see if I could come up with my same password in the /etc/shadow file, but I'm not getting anything remotely similar. I'm using the salt that shows as part of my password hash. Am I doing it correctly, or that salt needs to be in ascii form? Also does the salt goes first and then the password like hashlib.sha512(salt+password).hexdigest()? the rest of my code is pretty simple. It is that part about finding the salt, and hashing it properly. nagios:$6$P9zn0KwR$tgfvvFWJJ5FKmoXiP5rXWOjwoEBOEoAuBi3EphRbJqqjWYvhEM2wa67L9XgQ7W591FxUNklkDIQsk4kij uhE50:16632:0:99999:7:::
for example the salt I'm using is "P9zn0KwR" is this correct or I need to find the clear text for that salt... thanks
Using hash algorithms like MD5 or SHA-* is an unsecure way to store passwords, because they are ways too fast and therefore can be brute-forced too easily.
Have a look at the Phyton docs, the part about key stretching. It seems that they implemented the PBKDF2 for passwords which is recommended. The passlib seems to be a good choice too, they support the BCrypt algorithm.
Related
For reference I only know python so that's what I've been working with.
I've recently been looking into making my own hashing algorithm to further my understanding on how they work, I'm not looking into creating the most cryptographically secure hashing algorithm, just something that is a bit more secure than validating passwds in plain-text.(in other words I don't care if this algorithm has copious amounts of collisions.
From what I understand about hash functions is that they use ???? to obfuscate the input password. Where I'm getting caught up is how the function takes a user input, like "password1" and translates that into numbers the system can work with, then, what exact methods do they use to obfuscate them?
Apologies if this is a stupid question but I cant find any material on this that isn't way beyond my understanding or basic enough where they gloss over what happens inside the hash algorithm.
I was thinking some time if I should post that question here or at crypto.stackexchange.com. I think the question is more related to implementation than to theory, so here we go:
I have decided to use scrypt as the password hashing method for my future backends. Some of my backends are written in Perl, so I plan to use Crypt::ScryptKDF.
It is quite clear how to use it, but one question is left: scrypt is (to my best knowledge) more a key derivation function than a hashing function. So how is the hashing actually done?
Does it just encrypt the (salted) input string (e.g. a password) with the key which it has derived from the same (salted) input string (password), or is there more to it?
Let me describe the scenario:
I know the hashed string, and the $salt, but not the $pass. md5 format is:
md5($salt.$pass)
example value = ae10f955a7164ba6905919e7798284ca
here $salt = q)SDs
$pass is unknown.
Now, is there anyway to get md5($pass)?
Short of brute force techniques, no. However brute force is a valid approach. Depending on the scope of this problem, you have a few options:
Write a small program to compute MD5 hashes of md5(salt + random string).
Use an existing cracking tool like John the ripper.
Build a rainbow table using the salt, and then use that to find the appropriate password.
A tool like John the Ripper may be the easiest place to start.
While it is possible to recreate the password using a variety of methods, it's really not the purpose of the hash. The hash is supposed to encode the string in question in an irreversible way, so people who somehow get a hold of the hash cannot just reverse the encryption and have the password in their hands.
So no, it really isn't possible...at least not in any easy way.
Is it possible to duplicate output from the perl crypt function using ColdFusion decrypt?
I am not familiar with encryption programming, but as I understand it crypt uses the DES algorithm unless otherwise indicated. Coldfusion can use the DES algorithm, but I don't know what other parameters to use.
Allow me to clarify my situation. I am working with a vendor supplied application written in perl. My local toolset is mainly ColdFusion. I would like to enhance the vendor supplied login function with a 'lost your password/reset password' function. I would prefer not to change the vendor source code, which I have access to, since it get upgraded regularly and I don't want to have to keep applying the changes. The best solution, for a host of reasons, is to emulate the perl crypt() function output in ColdFusion so I can build the password reset function externally to the vendor application. It is admittedly an awkward and confusing situation.
I do not know if the emulation approach is feasible; if not it is back to the drawing board.
Just in case you didn't know, perl's crypt() function (and the crypt() function in the standard C library) is a one-way hashing function usually used for storing passwords. It's not an encryption function and there is no known decryption function.
As such, you're probably not looking for a function called decrypt(). I don't used Coldfusion, so I can't help you find the proper function.
I have a NSString like #"123456". I want to convert this string into byte array and then I want to shift some bytes using some arithmetic operations. Then I want to apply SHA256Hash on that and finally want to encrypt a string using the final result. I have tried many approaches but still got no success. I am very confused in this.If someone wants to look at code i'll post the code.
Edit:
My actual goal is to encrypt an string using AES256 encryption algorithm. And I want to generate my own key and I want to pass my own IV.
I assume you're trying achieve some kind of security. On the other hand it does not look like you're very familiar with the tools and methods you're using. This is a bad start.
Security is a very difficult thing to do—even for experienced developers. Maybe there's a way to reuse some existing implementation for your security needs.
My advice would be not to reinvent things, especially when they are as hard and as crucial as security.