1

My application is written in C and the password is checked by obtaining the user's input and doing some string/math operation on each character, then the sum of each character ascii code is added up (to make it more difficult for crackers).

My question is: if a cracker has access to the EXE file and thus, can view the logic of my code from the assembly code, can they reverse the process and arrive at a password that can defeat the hash function?

I know that they will have to do some trial and error with millions of guesses, but can they arrive faster if they know how my hash function works?

Ahmad
  • 111
  • 2
  • sums are weak because 2+3 = 4+1 (aka a+d = b+c) and both would unlock the same lock. more keys unlocking the same lock means weaker lock security and faster guessing. – dandavis Dec 07 '16 at 16:46

1 Answers1

5

From the brief description of your hash function, yes, it's likely.

It shouldn't be, if it's a good system (for more on this, see Kerckhoff's Principle). But when you roll your own crypto, you are almost certainly going to do it wrong (see Schneier's Law). Please don't.

If you use a cryptographic hash function, then knowing the source is irrelevant, as the algorithms are all public and proven to be secure.

Also, merely hashing a password is not a proper way to store it. There is much more information on this topic on the third most-upvoted question on this site, How to securely hash passwords?.

Xiong Chiamiov
  • 9,402
  • 2
  • 35
  • 78
  • 1
    "proven to be secure" I think it'd be more accurate to say they _haven't_ been proven to be insecure. We have no proof that these algorithms are secure, we only know that a lot of really smart people have tried to break them and failed. – Ajedi32 Jan 10 '17 at 21:49
  • Good point. Depending on which algorithm you're looking at and how you define "secure", some of them *are* proven secure, but from a real-world perspective you're absolutely right in that we just don't know about any critical issues. – Xiong Chiamiov Jan 13 '17 at 19:50