security – passwordhash question.

  • sandstrom

    (@sandstrom)


    18 years, 6 months ago

    As I have understood hashing a password (one way cryptation), which is used in wordpress, has a set number of possible hashes. Say 5000 different hashes.

    If I have understood this correctly (which I may not) isn’t this a security risk? if anyone bruteforce the admin account, after 5000 tries they could have put in a some word that generates exactly the same hash as the adminpassword, and therefore be granted access.

    /alexander

Viewing 2 replies - 1 through 2 (of 2 total)
  • Mark (podz)

    (@podz)

    18 years, 6 months ago

    Where do you get this figure of 5000 ?

    The default password is 6 characters, each of which can be a-z + 0-9. That’s 36 characters ? The first pw character can therefore be any 1 of 36, and so can the next 5.
    So (1*36)+(1*36)+(1*36)+(1*36)+(1*36)+(1*36)=2176782336 permutations (or thereabouts). Somewhat more than 5000.

    And that assumes that people like me don’t go changing their passwords to random 16 characters.

    If someone wants to batter their way into my blog, I have no doubt at all that they can if they are determined enough. Security though is partly making what you have less attractive and more difficult than someone else.

    Thread Starter sandstrom

    (@sandstrom)

    18 years, 6 months ago

    5000 was taken out of the air, I think that value could be smaller or larger.

    as I have understood it the password is hashed using MD5, which has a total number of possible hashes. anything ran through the algoritm will output as any of the hashes, but 5000 might be terribly wrong, it could be 3,4028236692093846346337460743177e+38.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘security – passwordhash question.’ is closed to new replies.