WEBVTT

0
00:01.230 --> 00:08.410
The rainbow tables are fast and effective at cracking passwords because each password is hashed the

1
00:08.410 --> 00:12.460
same way. Hashes are in fact one way functions.

2
00:12.460 --> 00:20.440
For example if a hacker has a rainbow table with the hash of the password spatial player any user

3
00:20.440 --> 00:27.530
that has the same password will have the same hash and his password will be cracked as well.

4
00:27.670 --> 00:36.520
Since most people use common passwords or reused passwords it makes cracking an easy process. To solve

5
00:36.520 --> 00:37.680
this issue

6
00:37.730 --> 00:39.500
a salt is used.

7
00:39.640 --> 00:48.530
You can see here at the crackstation.net that it can crack only non salted hashes. Let's see what

8
00:48.540 --> 00:54.780
the salt. Instead of computing and saving the hash of the password

9
00:54.780 --> 01:02.760
the operating system will compute and save the hash of the password together with a salt.

10
01:02.760 --> 01:11.440
The salt is a randomly generated string for each password. The salt is not secret just the password is. 

11
01:11.430 --> 01:22.110
Let's take a look at the file that contains the hashes of the user's passwords in Linux. That's

12
01:22.140 --> 01:28.300
the shadow file from etc directory.

13
01:28.390 --> 01:32.520
This is an entry for a user and a password.

14
01:32.530 --> 01:38.580
This is the user, the number 6 is a code for the hash

15
01:38.580 --> 01:46.970
algorithm used, 6 means sha512, and then comes the salt.

16
01:47.160 --> 01:56.790
This is the salt, until the dollar sign. And then comes the hash of the password and the salt, until the

17
01:56.850 --> 01:57.920
colon sign, 

18
01:57.930 --> 02:06.450
until this point. The salt is randomly generated for each password but it is not secret like the

19
02:06.450 --> 02:07.630
password is.

20
02:07.680 --> 02:15.180
It is combined with the password and added to the hashing process to force the uniqueness of the output

21
02:15.180 --> 02:16.030
hash.

22
02:16.140 --> 02:23.060
In other words the same password will give different hashes because of this random salt.

23
02:23.250 --> 02:31.050
This mitigate passwords attacks like rainbow tables. If a hacker has found the clear text password from

24
02:31.050 --> 02:39.000
the hash all other passwords that part of the same are still secure because their hash is different.

25
02:39.000 --> 02:46.350
I've shown you a real example of two users that have the same password, but different hashes, in a previous

26
02:46.350 --> 02:51.380
lecture where I've also explained in detail how Linux system stores

27
02:51.390 --> 03:00.250
the passwords. In fact these are the users, user 1 and user to have the same password but 

28
03:00.250 --> 03:03.430
different hashes saved in the shadow file.

29
03:04.780 --> 03:08.370
The hash is unique because the salt is unique.

30
03:09.160 --> 03:15.070
I'd recommend you to watch that video again if you feel the need. Thank you.

31
03:15.110 --> 03:15.650
That's all!