Wikipedia:Reference desk/Archives/Computing/2018 November 23

Computing desk
< November 22	<< Oct | November | Dec >>	Current desk >

Welcome to the Wikipedia Computing Reference Desk Archives
The page you are currently viewing is a transcluded archive page. While you can leave answers for any questions shown below, please ask new questions on one of the current reference desk pages.

November 23

Password questions.

So I'm aware of 2 broad password concepts: where the server can easily send you your lost password back. I.e., it's stored in a file that just sends it to your e-mail. But the other is a more, encrypted version where the server can't send you your password back because it is a irreversible process, so it only resets the password. So I have 2 questions. For the 1st model, is it possible to make it such that the server admin personally can't view your password? And now, my 2nd question, which can be specifically be used on examples like Facebook. The server can't send you the password, only reset it. Does that mean that if 1 human sets up 50 bogus accounts, all with different unique e-mails and from countries all around the world - but they have 1 thing in common - they use the exact same password, does that mean the server (like Facebook) won't be able to detect this? Is it possible for them to detect if 2 accounts even have the same password? Thanks. 67.175.224.138 (talk) 05:50, 23 November 2018 (UTC).

For your first question, no, if the server has the passwords stored in plaintext, an admin with sufficient privileges can read them. You can make it more difficult for the admin, for example by encrypting the passwords, but the server must then have the decryption key stored somewhere and the admin can access that and decrypt the passwords herself. For the second question, if the password is hashed without salt, then if the same password is used twice the hash will be identical in both cases, so it would be easy for the server to detect it. But if salt is used, as it should be in most systems with reasonable security, then the server couldn't tell that the same password were used. However I'm not sure why anyone would care if two accounts used the same password. CodeTalker (talk) 20:55, 23 November 2018 (UTC)

Okay I'm a little beginner here, what's the difference between "if the password is encrypted" and "if the password is hashed?" Is there a "if the password is salted?" or is it "if the encrypted password is salted" vs. "if the hashed password is salted" Thanks. 67.175.224.138 (talk) 22:59, 23 November 2018 (UTC).

Hashing is an irreversible operation. Given a hash ${\displaystyle h}$ it is infeasible to determine (any) ${\displaystyle x}$ for which ${\displaystyle h=H(x)}$, assuming H is a good cryptographic hash function. This property is called preimage resistance, and is why passwords are usually hashed before storing -- even if an attacker gets a copy of the file containing the hashed passwords, he can't determine any of the actual passwords. Encryption on the other hand is reversible, if you know the decryption key. So if you are given ${\displaystyle e=E_{k}(x)}$ where E is an encryption function and ${\displaystyle k}$ is the key, and you are also given the decryption key ${\displaystyle k'}$ (which for a symmetric cipher will be the same as ${\displaystyle k}$), it is easy to determine ${\displaystyle x}$ by running the decryption algorithm: ${\displaystyle x=D_{k'}(e)}$. However, as I suggested above, encrypting stored passwords is rather pointless unless you have some way of protecting the decryption key, other than just storing it in another file. An attacker who gets a copy of the file containing encrypted passwords plus the decryption key can determine the actual passwords. Salting is not normally used for encryption, only for hashing. It greatly increases the difficulty of several types of attacks against the hash, such as dictionary attacks, rainbow table attacks, etc. as outlined in our Salt (cryptography) article. CodeTalker (talk) 00:44, 24 November 2018 (UTC)

Thanks CodeTalker for a great answer and saving me a load of typing.

One of my pet hates (I have worked in retail finance) is encryption of things that just shouldn't be stored at all. If it can be decrypted, chances are that it will get decrypted eventually by someone who shouldn't. It's much better to either not store them, or (if some provable record is needed) to use a provably irreversible technique, like salting and hashing. Andy Dingley (talk) 00:58, 24 November 2018 (UTC)

Wait so, both hashs and encryptions have a decryption key? Also, a hash + encryption is called an encrypted hash? Or cryptographic hash? By the way, on the arguments of dictionary attacks or brute-force attacks - whichever tries every possible password combination, don't most password systems have a 3-5 login attempts before shutting down the correct password? Thanks. 67.175.224.138 (talk) 00:58, 24 November 2018 (UTC).

• Hashes can't be decrypted. But they can be brute-force broken, especially if they're hashes of short data. Worst of all, it can be possible to generate a "code book" beforehand of all the possible values and their hashes. With such a pre-made code book, reversing the hash is a trivial lookup. Adding the salt defeats this (you'd need a separate code book for each salt value). Andy Dingley (talk) 01:01, 24 November 2018 (UTC)
• Attacking hashes doesn't need 3-5 attempts. It needs read access to the stored hashed versions (which it shouldn't get) and knowledge of the hash algorithm. With that, it can simply give an acceptable password first time.

It's not unusual (in weak systems) that many passwords overlap onto the same hash. But they system will accept any of these passwords (it's only comparing their hashes) and so the attacker still gets in.

It's also a fundamental principle that "security through obscurity" doesn't work. So keeping the hash algorithm secret doesn't work. It's bitter, practical experience that using well-published algorithms (which have been judged to be good) works better than inventing your own. Unless you are Bruce Schneier, that is. Andy Dingley (talk) 01:07, 24 November 2018 (UTC)

Did you just say it's possible for 2 different passwords to overlap into the same hash? So in reality, there could be multiple passwords that work for the system? Yikes. 67.175.224.138 (talk) 01:20, 24 November 2018 (UTC).

Having the same hash is called a collision. For a 128-bit hash function, it can happen by chance once every 2^128 = 340 billions of billions of billons of billions of times, i.e. never. (Hash functions are "strong" if no collision-finding method is much more efficient than "try a random string of characters, see if it works, retry as many times as necessary".) You might also be interested in challenge–response authentication, where the salt changes at every iteration and thus you actually need to know the password and not just a collision to get in reliably. Tigraan^{Click here to contact me} 14:05, 25 November 2018 (UTC)

Oh, maybe that concept is Md5 encryption. 67.175.224.138 (talk) 01:26, 24 November 2018 (UTC).

MD5 is hashing, not encryption (and it is not good cryptographic hashing, either). Tigraan^{Click here to contact me} 14:05, 25 November 2018 (UTC)

(EC) I'll try to answer this but I suggest you read the articles I linked to above. They will provide much more complete information than I can do here. Hashes do not have a decryption key. As I said, a hash is irreversible; you can't feasibly determine the original value given only the hash, and there's no key that would make it feasible. A cryptographic hash is just a "strong" hash. There are various types of simpler hash functions used in non-cryptographic applications which do not require preimage resistance or other characteristics of a cryptographic hash function. Dictionary attacks, rainbow tables, etc. are generally used to attack a FILE of hashed passwords which has been obtained by an attacker somehow, not against a live system, so any restrictions on login attempts wouldn't affect such an attack. CodeTalker (talk) 01:08, 24 November 2018 (UTC)

Telephones question.

Why is it (at least for flip phones) when you send a text message to a landline phone, you don't get some automated error message that so and so was a landline phone? Is it because the feature is not possible, or some other reason like arrogance? And back in 2008, if I sent a text message to a cell phone who has no text messaging service, I won't even get an error message (has this changed?). Thanks. 67.175.224.138 (talk) 17:06, 23 November 2018 (UTC).

At least in the UK, it may depend upon service provider, you CAN text a landline. It does a text->speech conversions and reads it to you. -- SGBailey (talk) 18:06, 24 November 2018 (UTC)

Just tried it here in Auckland. Got an automated message saying "Not sent. Tap to try again." My Prepay credit was not debited for the attempt. This was from an 022 cellphone to a different company's landline. Akld guy (talk) 22:05, 24 November 2018 (UTC)

• It's not possible to send a text message to "a landline phone" or "a landline network (at its simplest)". They just have no way to deal with such a thing.

If you send a text message to a modern phone network (we need an article on C21N), then they are capable of routing the message around the network, just not delivering it through the local loop (as such). And so they are able to recognise that the destination isn't capable of receiving it as text, and thus convert it to a voicemail message. Andy Dingley (talk) 23:09, 24 November 2018 (UTC)

Well, I was thinking, when you send a text message to a #, you have no way of knowing prior whether the destination # is a flip phone, smart phone, or landline telephone. So somewhere along the line when it realizes it's not a cellular phone, then what? 67.175.224.138 (talk) 00:52, 25 November 2018 (UTC).

• Also remember that this could be an international call, or there could be call forwarding involved. So the originating sub can't tell what sort of device the destination is. The international phone system is a very old, long pre-internet, example of a resilient network based around not assuming the abilities of the remote ends of it. So it's up to the local network to the destination, or at least the last 'smart' node of the destination network, to decide to switch from text messaging to voice messaging. Protocols like SS7 are used. Andy Dingley (talk) 01:00, 25 November 2018 (UTC)

"There is a message from mobile phone number digit by digit:" followed by the "message", but red only once or ignored if not supported --Hans Haase (有问题吗) 07:43, 25 November 2018 (UTC)

Screenshot on MacBook running ChromeOS key combo

I'm trying to find how to take a screenshot on a MacBook which is running ChromeOS. Any help would be appreciated.

Obviously the keyboard doesn't match the regular Chromebook keyboard. So it's been a challenge to find which keys to map to what.

Thanks! †dismas†|^(talk) 19:22, 23 November 2018 (UTC)

Note: I've tried Ctrl-Shift-F5. †dismas†|^(talk) 19:55, 23 November 2018 (UTC)

The usual combo is Shift-Command-4.--Shantavira|^{feed me} 20:31, 23 November 2018 (UTC)