Are Hash Codes Unique?

re: Are Hash Codes Unique?

Tarang Waghela — Wed, 10 May 2006 10:18:27 GMT

Interesting article and a nice read

Cheers

re: Are Hash Codes Unique?

Paul Watson — Wed, 10 May 2006 13:06:18 GMT

Interesting article, thanks Tom.

re: Are Hash Codes Unique?

Bryan St. Amour — Wed, 10 May 2006 16:26:28 GMT

I wonder why then, why many popular sites require a fixed password length instead of allowing a user to create a password of any length they want. It seems that it would be safer to remove the length rule as this way someone who is trying to brute force their way in will have a tougher time than if he knew that the password was always 6-10 characters long.

re: Are Hash Codes Unique?

Austin Lamb — Wed, 10 May 2006 16:52:44 GMT

A minor correction - SHA-256 is not a 256-byte hash, but rather a 256-bit hash (32 bytes).

re: Are Hash Codes Unique?

tomarcher — Wed, 10 May 2006 18:22:07 GMT

Paul: Thanks! I'm flattered that you read my stuff :) I'm hoping now that I'm a little more situated here at Microsoft that I can begin blogging much more.

re: Are Hash Codes Unique?

tomarcher — Wed, 10 May 2006 18:23:55 GMT

Austin: DOH! Thanks for the catch!

re: Are Hash Codes Unique?

tomarcher — Wed, 10 May 2006 18:27:42 GMT

Bryan: I'm in total agreement with you. On a related topic, TechNet has a great article on "security myths" and one thing they bring up is that the better way to protect yourself is NOT with "strong" passwords, but with *long* passwords.

http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/default.aspx

re: Are Hash Codes Unique?

Bryan St. Amour — Wed, 10 May 2006 21:17:19 GMT

Wow, that was a really good read. Thanks for the link, Tom

re: Are Hash Codes Unique?

farshad — Sun, 14 May 2006 18:31:17 GMT

hi i downlaoded a version of vista (vista beta 1) but when I want to install it . i'd have an error written in this kind

the windows can't get the information of your disks

also i should mentione that i have sata2 hard

what's wrong with my system ?

re: Are Hash Codes Unique?

Albert Pascual — Mon, 15 May 2006 22:35:38 GMT

Always love reading your blog!

re: Are Hash Codes Unique?

Dan — Thu, 18 May 2006 17:30:48 GMT

Good reading Tom!. Security starts with the developer. It's been years since I did serious crypto work and I had actually forgotten about using salt values in stored password (though thanks to micrsoft I had been hashing them for many years). Great work!

re: Are Hash Codes Unique?

Swapnil Kocheta — Sat, 20 May 2006 13:41:20 GMT

Wow
Geek Stuffs
Quite amazing to read from the employee of ur dream company
nice work Tom

Great Article On Hashcode Uniqueness from Tom Archer

TheWebFarm Blogs — Sat, 20 May 2006 16:41:12 GMT

re: Are Hash Codes Unique?

Divya — Tue, 23 May 2006 08:17:59 GMT

Tom, Great piece of information.
Couldnt find it anywhere on the net so clear.

re: Are Hash Codes Unique?

GothicChessDotCom — Wed, 24 May 2006 06:52:29 GMT

In the chess world, positions being searched are hashed as a chess program "thinks." If a position that has already been evaluated arises again, via a different move order for example, a program need only access its hash table (in RAM) to extract the score for that position, saving the redundant and time consuming call to the evaluation function.

Even in the 32-bit world, a hashed chess position (32 bits) and a hash key (another 32 bits) will be able to avoid "hash collisions" (a different chess position generating the same hash information) almost forever, or 1 time in 2 to the 64th trials. Even with programs searching 10 million positions per second, you would be able to "survive" without a hash collision for:

18,446,744,073,709,551,616 ÷ 10,000,000 ÷ 86,4000 ÷ 365 = over 5800 years, on average.

But, in a computer vs. computer chess tournament in 2005, one program did make a catastrophic blunder, and, as it turned out, this was a result of a hash collision that had 64-bits worth of safety.

This goes to show one of the consequences of Quantum Mechanics: If you wait long enough, anything that can happen, will happen.

re: Are Hash Codes Unique?

Nathan — Wed, 24 May 2006 14:29:38 GMT

Unfortunately, with the easy of use and scalability of free databases, there are more than one site that actually have several computers churning non-stop generating and inserting MD5 hashes so you can just type in an MD5 hash and it spits out the values if it has been generated. MD5 hashes of 9 out of 10 of my past passwords came up when I entered them... It makes using salted hashes all the more important.

re: Are Hash Codes Unique?

kbrowder — Sat, 27 May 2006 05:11:49 GMT

Great article, good summary of basic hash security. Salting was particularly interesting, many refrences forget about it. At one point I read an article about using the hash of the passphrase (usually with a very fast and small hashing algorithm) as the Salt and then hashing the end resault (with a better hashing algorithm). The author hypothesized this process would make it less feasible to brute force using the hash expecially since the algorithm can be called on the hash itself. I'm not sure about the validity of the mathmatics behind this technique but it sounded interesting, whish I had the link. The final product would look something like this:

result = hash(
"PASSWORD"+
hash("PASSWORD")+
hash("PASSWORD"+hash("PASSWORD"))+ hash("PASSWORD"+hash("PASSWORD")+hash("PASSWORD"+hash("PASSWORD")))+
...);

basically there would be many salts that are all dependent on each other, assuming the algorithm is safe it seems like it would be more secure since to the attacker the salt bits would be semingly random. Interesting stuff.

re: Are Hash Codes Unique?

whattheheck — Fri, 16 Jun 2006 01:59:37 GMT

> TechNet has a great article on "security myths"
http://www.microsoft.com/technet/technetmag/issues/2006/05/SecurityMyths/default.aspx

Good article, but they blew it by not recognizing that forced timed password changes weaken security.

After arguing that the policy of the forced password changes could be set to every 1,900,000,000,000 years without risking security, then they set it to 90 days.

Why? Clearly, the author just really likes annoying users, since he readily admits this serves no useful purpose. That MUCH longer periods (much more than a lifetime) would still be secure.

Forcing users to pick new password every 90 days likely results in increasingly weaker (including shorter) passwords each time.

re: Are Hash Codes Unique?

rape stories — Tue, 20 Jun 2006 10:44:38 GMT

Your article is prety nice. It's a pity that i didn't see it more later.

re: Are Hash Codes Unique?

Jeremy Madea — Tue, 20 Jun 2006 18:20:48 GMT

Another minor correction... you wrote: "the MD5 hash function always generates hash codes that are 32 bytes in length, the SHA1 hash function generates 20-byte hash codes".

Actually, MD5 results in a 16 byte (128 bit) hash code. The confusion probably came about because that works out to 32 characters when represented in hexadecimal.

SHA1 is indeed 20 bytes, or 160 bits, or 40 chars in hex.

re: Are Hash Codes Unique?

Bryan — Wed, 21 Jun 2006 13:39:39 GMT

re kbrowder's comments -
Pulling the user passphrase into the hash causes problems win the passphrase is changed or missing, but is otherwise a good step. The second algorithm is no more secure than the original since each additional password hash is determined. Coding that assumes that someone does not know the algorithm almost always fails.

re: Are Hash Codes Unique?

Mian Kamran Yousaf — Thu, 13 Jul 2006 07:26:46 GMT

Interesting and useful

re: Are Hash Codes Unique?

Sudheendra Nadager — Thu, 20 Jul 2006 14:59:07 GMT

Tom, Great piece of information.....

www.Ipfreaks.com - Get amazing Dreamscene videos » Are Hash Codes Unique?

www.Ipfreaks.com - Get amazing Dreamscene videos » Are Hash Codes Unique? — Sun, 11 Feb 2007 05:03:01 GMT

PingBack from http://ipfreaks.com/dreamscene/?p=43