Hacker News new | past | comments | ask | show | jobs | submit login

Isn't sending the SHA1 of a password over the web, such as via a DNS request, a bit insecure?



You're only supposed to send the first 16 characters of the hash, not the whole thing.


That's effectively the same thing. 16 hex characters is 64 bits. Most users have a password with much less than 64 bits of entropy. So for most users truncating the hash to 64 bits provides no benefit.


The sha1 doesn't live in the DNS request. DNS exposes the hostname requested, not the parameters of the URL.


It does not take SHA1 hashes.


It takes 64 bits of a sha1 hash, which is effectively the same as a sha1 hash for most users' passwords.


Except it's missing 96 bits (which is the vast majority) of the hash. So it's not a SHA1 hash.

Why do you think that most passwords are just in the first 64 bits of a SHA1 hash?


What is an attacker going to do with the hash? The attacker will try to crack it, to get the original password. As long as the user's password had at most 64 bits of entropy, it's just as easy to crack a truncated sha1 hash as a full sha1 hash. Truncating it has not harmed the attacker at all. The attacker doesn't care if it's a full sha1 hash or a truncated sha1 hash. The attacker just cares about cracking it.

>Why do you think that most passwords are just in the first 64 bits of a SHA1 hash?

I don't understand what you're trying to say. Are you asking why I think most passwords have less than 64 bits of entropy?

>According to one study involving half a million users, the average password entropy was estimated at 40.54 bits.

https://en.wikipedia.org/wiki/Password_strength#Human-genera...




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: