3

Do operating systems hash the log-in password?
What hash function is used in Windows XP, 7, 8,Linux Ubuntu, Debian, MAC Lion OS X ,...?
Where should I look to know these security considerations of an operating system?
Also is any hash function used in motherboard master password?
How about websites that require log-in passwords? Does it depend on the language which they are written with?
Does hashing prevent from all timing side-channels? I mean can you address some broken log-in modules?
Thanks

Zeta.Investigator
  • 133
  • 5
  • 1
    Welcome to IT Security! It looks like, intentionally or no, you've embedded several questions in this one post. Due to the Q/A format of the network we would be hard pressed to adequately address them. Have a look through the [FAQ] if you need some more information. Would you mind slimming this down and possibly splitting it up into several questions? – Scott Pack Aug 24 '12 at 17:15

1 Answers1

4

What hash function is used in Windows XP, 7, 8,Linux Ubuntu, Debian, MAC Lion OS X ,...?

To answer the linux/unix (e.g., ubuntu, debian, os X) part of the question, the crypt hashing algorithm is typically used (but is configurable). The standard is a salted (8 random alphanumeric character) hash that's key-strengthened about 5000 times using a simple cryptographic hash like sha256/sha512. Again, this is configurable; e.g., see a previous question.

For various versions windows, they use LM Hash and/or NTLM hash which may be encrypted while the user is logged in. See wikipedia for more details; I'm not a windows user.

Also is any hash function used in motherboard master password?

The BIOS is interesting; its so easy to reset a BIOS (remove CMOS battery without say getting the password) and difficult to otherwise read information that I've never really bothered to see how passwords are stored. According to this, sometimes they are just stored in plaintext, sometimes very weakly hashed using non-cryptographic hashing functions (like CRC-16 or a flawed implementation of it).

What about websites?

Totally depends on the configuration of the backend of the website. Sites I set up generally use bcrypt with strength factor (base-2 log rounds) of 12.

Does hashing prevent all timing side-channels?

No. Constant time string comparison of the stored hash to the hash of the inputted password prevents side-channel attacks. This is not guaranteed in all applications. I'm confident most linuxes have this implemented correctly; and some open-site websites and web frameworks definitely do this right. For example, reddit uses specifically the constant_time_compare used for comparing tokens as does django 1.3+, however django 1.2 used to use a simple string equality susceptible to timing-based attacks. Granted timing attacks are much easier to do on a local application than over a network (where a few nanosecond difference from a quick timing fail is hard to discern from random variations in network speeds).

Community
  • 1
dr jimbob
  • 38,768
  • 8
  • 92
  • 161
  • Thanks. Can you name some weak protocols that had been broken? Perhaps a paper or a link... – Zeta.Investigator Aug 24 '12 at 17:44
  • @PooyaMoradi - I don't know why I said protocol when I meant `crypt algorithm` and `hashing function`. Long week I guess. Anyhow, not all hashing functions are intended to be difficult to reverse or generate collisions; e.g., if you are using it to generate a hashmap. For a paper on reversing CRC-32 see: http://stigge.org/martin/pub/SAR-PR-2006-05.pdf – dr jimbob Aug 24 '12 at 18:44