Code Highlighting

Tuesday, December 16, 2014

Ladies and gentlemen: salt your passwords

A few weeks ago I recovered the database of an old website from backup. The customer wanted the old contact info and had lost its own backup.
The old database hashed its passwords (SHA-1), but did not salt them. Looking at the old users table, I wondered how well the rainbow table approach would work - using Google as a big rainbow table. Just feed the hash into the search field and see what comes up.

Here are the results:
PasswordClear textCount
7C4A8D09CA3762AF61E59520943DC26494F8941B12345636
9C2028963DC9F7FBB4CB30140428A210C61DBB2Cwachtwoord24
9CF95DACD226DCF43DA376CDB6CBBA7035218921azerty22
62E839476B23E579EFB96B47391599FFCA4CFA94?18
7110EDA4D09E062AA5E4A390B0A572AC0D2C0220123418
F001F2E438738807D3079BFFAF66519B9D0F26C7azqswx16
F7C3BC1D808E04732ADF679965CCC34CA7AE344112345678916
D18C9E9DCCE902D6A3E21E72BADA443AC294CB5FPaswoord15
FDA48D6A63F351DC46D411336DE4BA33F77B66F5voetbal14
D22BC6BAD61129B636AFFA2511B3CE522CD74BB3brecht13
EE8D8728F435FD550F83852AABAB5234CE1DA528iloveyou12
48F285F9A1E15CB6240506182A3C08AEDD639F26dansen11

The count indicates how many users chose that password. Users spoke dutch, used an azerty keyboard. Of the top 12, I found all but 1 using a Google search. This is why you salt your passwords.

Mind you, it's also a reason to implement a decent password policy. One that does not allow '1234'.

I really wonder about that 1 that I wasn't able to find though. Must be some dutch word.

No comments:

Post a Comment