Password_Hash() Just A Question On It

[phpstuff]

So it seems like when you hash a password that the hash is a constant related to the password.

 

So, If Amazon.com hashes the user password "mysecretpw99"  and the hash is:

 

1209j09j0939h480h2389g4h9823g4

 

And then Yahoo.com hashes the same user password "mysecretpw99"  then the hash will be:

 

1209j09j0939h480h2389g4h9823g4

 

 

Is this correct?

 

If so, wouldn't it be easy to build a database of potential password combos, hash all of the combos, then have a database filled with hashed values.  Then compare those hashed values to the actual hashed passwords that users are using on various websites (assuming the hashed values can be found).  Just curious if this is how it works.

 

Are there other techniques available to scramble the hashes or is this not effective or not necessary?

[HartleySan]

I think it depends on how you're trying to hack a password. If you're going through a normal web interface, then you would never enter a hash directly. You would enter a regular password, and that would then be turn into a hash and compared to a hash in the DB on the back-end.

 

If, somehow, you got access to a whole DB of hashed passwords, then yes, you could potentially do what you suggested, which is akin to a dictionary attack, which is a popular technique for trying to crack passwords.

 

Anyway, I think (and I could be wrong) that a lot of password hashing algorithms these days take the time into account when hashing the password, and somewhere within the hash itself is a key hidden to retrieve that time so that at any later time, you can check that the hash you're creating for confirmation purposes matches the original hash when it should.

Honestly, I don't know though.

 

The whole password hashing industry is an incredibly complex one with a deep history that's probably worth reading about.

[phpstuff]

Very interesting... Thank you for your response here!