Reputation: 887
password hashing - success probability of cracking
We have the following hash function that maps a 4 digit password.
h(abcd) = (d+c^2+b^3+a^4) mod 100, where a,b,c,d = {0...9}.
What is the success probability of someone finding the password if the server stored the unhashed vs hashed versions of the password?
I know that we have a total of 10^4 possible 4-digit unhashed psswords. So if an exhaustive search is run on a NOT-hashed list, then the success probability will be 1/10^4 = 1/10000.
But how do I know what the probability is for the hashed storing of the passwords? Many passwords will hash to the same value. I don't see an emerging pattern.
Upvotes: 0
Views: 310
Answers (1)
Reputation: 2712
First, read Thomas Pornin's canonical answer to "How to securely hash passwords?"
Second, quit using your custom hash function and start using PBKDF2, bcrypt, or scrypt with a sufficiently large number of iterations/work factor.
Note that for 4 digit PINs, no possible work factor is high enough, since an offline attacker is likely to have orders of magnitude more computing power, and thus if you want users to wait less than an hour, any attacker's going to crunch through your complete list in very little time, and find 100% of the passwords.
So, third, quit using 4 digit passwords, and start using long, complex passwords - or even longer numeric only passwords.
ETA: For an offline attack, 100% - they'll find every single password in no time at all by the time scales normally used.
Upvotes: 0
Related Questions
- Where do you store your salt strings?
- Clientside password hashing
- Fundamental difference between Hashing and Encryption algorithms
- Two-way encryption: I need to store passwords that can be retrieved
- How should I ethically approach user password storage for later plaintext retrieval?
- Is "double hashing" a password less secure than just hashing it once?
- How does password salt help against a rainbow table attack?
- mechanism for hashing passwords