0

I'm investigating a login system that exposes (probably) hashed passwords.

Password: HTSr0MF8Ou4liOCUayXHDg==

The password is stored in base64 format. When I decode it, I get random 8 chars regardless of password length.

The characters consist of random unicode characters. So, I know it's not an algo that I know like md5, sha, pbkdf etc.

Now, I don't want to crack it if it's a home brewed hashing algo, but if it's generic I want to find out what it is.

So, is there an algorithm known that

  1. has 8 char fixed output
  2. output consists of random unicode chars
schroeder
  • 123,438
  • 55
  • 284
  • 319
John Doe
  • 5
  • 2

1 Answers1

2

When I decode it, I get random 8 chars regardless of password length.

With the given base64 of length 24 you get 16 bytes. These 16 bytes are 8 unicode characters only when interpreted as utf-16. When interpreted as utf-32 it would be 4 characters and when interpreted as utf-8 it would be a variable number of (possible invalid) characters.

But nothing in the base64 or in any context you provide indicates that it actually has to be interpreted as utf-16, i.e. this is probably only an (unfounded) assumption you make. It is more likely that these are just 128 bits without any specific structure, i.e. no unicode characters at all.

So, is there an algorithm known that a) has 8 char fixed output b) output consists of random unicode chars?

Again, the question is more if there is an algorithm which creates 128 seemingly random bits. Sure, it's a random generator. And another famous algorithm which has a 128 bit output is actually the MD5 hash.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424