Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why the most common prefix of hashed (SHA1) passwords is "00000"?

Tags:

algorithm

passwords

hash

sha1

I was reading a post in Troy Hunt's blog (https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/), about a feature called "Pwned Passwords" that checks if your password is in a database with more than 1 billion leaked passwords.

To do this check without passing your password, the client code hash it and pass just the first five chars of this hash, the backend returns all the sha1 hashes of the passwords that starts with the prefix that you passed. Then, to check if the hash of your password is in the database or not, the comparison is made on client code.

And he put some info about the data of these hashed passwords...

  1. Every hash prefix from 00000 to FFFFF is populated with data (16^5 combinations)
  2. The average number of hashes returned is 478
  3. The smallest is 381 (hash prefixes "E0812" and "E613D")
  4. The largest is 584 (hash prefixes "00000" and "4A4E8")

In the comments, people was wondering if the presence of this "00000" is a coincidence or is math...

Could someone that understands the SHA1 algorithm explain it to us?

like image 210
lmcarreiro Avatar asked Feb 22 '18 16:02

lmcarreiro

People also ask

What is sha1 in password?

In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographically broken but still widely used hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as 40 hexadecimal digits.

What is the most important benefit of storing passwords as hashed values?

Using Basic Password Hashing Password hashing add a layer of security. Hashing allows passwords to be stored in a format that can't be reversed at any reasonable amount of time or cost for a hacker. Hashing algorithms turn the plaintext password into an output of characters of a fixed length.

Why is hashing password important?

Password hashing is defined as putting a password through a hashing algorithm (bcrypt, SHA, etc) to turn plaintext into an unintelligible series of numbers and letters. This is important for basic security hygiene because, in the event of a security breach, any compromised passwords are unintelligible to the bad actor.

1 Answers

Well, since the passwords originally come from data breaches, my best guess is that the password table in one of the breached systems was sorted or clustered by the (unsalted -- those are the kind of folks who get their passwords stolen) SHA1 hash of the password. When the system was breached, the attackers started with the "00000" hashes and just didn't make it all the way through...

Or maybe the list that Troy used includes the first part of an SHA1 rainbow table (https://en.wikipedia.org/wiki/Rainbow_table)...

Or something like that. The basic idea is that the SHA1 hash of the passwords was part of the password selection process.

like image 119
Matt Timmermans Avatar answered Sep 24 '22 23:09

Matt Timmermans
Sign in to Comment

Related questions

What makes table lookups so cheap?
Fast inverse square of double in C/C++
sine wave that slowly ramps up frequency from f1 to f2 for a given time
Given an array of best fit sizes , tell how many elements from the other array can be fitted(more details below)
About bubble sort vs merge sort
graph algorithm finding if graph is connected, bipartite, has cycle and is a tree
Understanding super fast blur algorithm
Quickly sort 3 values
Encoding byte data into digits
Most efficient way of randomly choosing a set of distinct integers
Algorithm to control acceleration until a position is reached
How can I interleave or create unique permutations of two strings (without recursion)
How to implement linked list with 1 million nodes?
How to generate a subdivided icosahedron?
Easiest way of checking if a string consists of unique letters?
Programming Technique: How to create a simple card game
How to avoid if... else and switch cases
Algorithm for maximizing coverage of rectangular area with scaling tiles
Algorithm for Tree Traversal
Detecting and adjusting for negative zero

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!