Daniel wrote:
On 30/04/15 19:03, Richard Falken wrote:
Crypto hashes are really powerful and are the standard way of storing
passwords in many systems.
You might now that a password hash is
$5$sdsd7f89sd7fsda89f7$9AO/NHJbfjwllqiFOOeq63ICdSDwaejGNa36IL6d4pC. You
might not use this information to find what the password that generates
this hash is. The reason is that cryptographic checksums work only one
way.
You can take an input and turn it into a hash, but there is no practical
way to take a hash and find what the input is out.
When I later enter my password, the system *must* do something to that
input to compare it to the saved data. So the system *must* know what
that something was, so the process is repeatable.
When you set the password, it is hashed and the hash is stored. The hash
algorithm is repeatable, but not easily reversible, so it is impractical
to work out what the password was from the hash.
When checking if an entered password is correct, the same hash algorithm
is applied to the entered password. The hash of the entered password is
compared to the hash of the originally set password, and if they're the
same the password is considered correct. It is not necessary to recover
the original password from the hash, but as you say it is necessary to
be able to repeat the process. It is possible that more than one
password can result in the same hash, but a good, secure hashing
algorithm minimises the chances of such a collision being found any more
easily than the original password.
That's more related to storing passwords for authentication though, e.g.
it's how your operating system might store your password to check when
you log in, or how your mail provider might store your password for
logging in to their services.
In the context of encrypted files (which I think is how this discussion
started), the password doesn't need to be stored anywhere, not even in
hashed form. In that case, the password is used to generate an
encryption key, which is used to encrypt the file. To decrypt the file,
the user is prompted for a password and that password is used to
generate the key for decrypting the file. If the password was correct,
the file is successfully decrypted, otherwise the result of "decrypting"
the file is nonsense. In the case of SeaMonkey's password database, for
example, if the wrong password is entered the password manager won't be
able to make sense of the "decrypted" file so prompts for the password
again.
Mark.
_______________________________________________
support-seamonkey mailing list
support-seamonkey@lists.mozilla.org
https://lists.mozilla.org/listinfo/support-seamonkey
