13 comments

[ 3.4 ms ] story [ 23.2 ms ] thread
Since hash functions are fixed-length, aren't there always infinitely many collisions and therefore passwords which would work?
Unless it's invertible.
Hash functions can't be invertible due to pigeonhole principle, as there are more possible inputs than possible outputs for a fixed-size hash.
In theory yes, but finding SHA1 collisions is nontrivial. shattered.io has one, but they used up quite a bit of compute to get it.
It’s an interesting but mostly useless finding cuz The hash is also incredibly strong password
(comment deleted)
The article seems to be very repetitive in the way it explains things, but TL;DR:

> When producing password-protected ZIP archives with AES-256 mode enabled, the ZIP format uses the PBKDF2 algorithm and hashes the password provided by the user, if the password is too long. By too long, we mean longer than 64 bytes (characters), explains the researcher.

So the first accepted password would be the overly long one, and the second accepted password is the ASCII representation of the SHA1 hash of that long password. The researcher used a modified version hashcat to get a password which SHA1 hash is also ASCII.

The same thing is true of Zoom meeting passwords. When you share a URL to a meeting with a password, a hashed version of the password is included in the URL. That hash works the same as the password. You can manually type it in the password box when joining the meeting and it will let you in.
I didn't probe it that deeply as it was just a single device I need to backdoor.. but Apache tomcat appears to suffer from this. The configuration format doesn't have a prefix for hashed passwords, so just using the hash as a plaintext password worked to get access to the devices "super admin" menu.
In Zoom's case this seems to be working as intended. Clearly you are intended to be able to join the meeting with only the hashed password, that's what the sharing URL feature is for. It's probably more of an obfuscation feature, so people don't file angry bugs about how Zoom URLs reveal the plaintext of their terrible reused password.
Interestingly, it seems like it was nontrivial to come up with this example. They’re looking for a phrase which has a SHA-1 hash that is entirely composed of alphanumeric characters. The odds of a randomly chosen phrase having this property is (62/256)^20, or approximately 2^-40 - that is, on average, you’d have to test around 2^40 phrases to find a suitable one.

There are 13 digits in the phrase; assuming all of them can be freely chosen, that’s 43 bits of entropy. Just enough to find one example.

This is true for all passwords due to pigeonhole principle.
Maybe the NSA has figured out the equivalent for other encryption methods?

Also, why is SHA1 being used instead of SHA2?

By the way, SHA1 and SHA2 were designed by the NSA.