You can complete these exercises in JavaScript or Ruby.
- If you're using Ruby, refer to these RubyDocs:
- If you're using JavaScript, refer to these NPM libraries:
We'll provide timing constraints on the board. If you're moving quickly and feeling confident, complete the Extension questions. But if you're not, make sure you complete all the non-Extension exercises first.
You've done some hash building in the physical space. Let's practice doing it with the machine.
- What is the MD5 digest of the string "Hello, World!"
- What is the Sha256 digest of the same string?
- Repeat both MD5 hashing and Sha256 hashing by remove the exclamation mark in the input. What do you notice about the output?
Feeling good about hashing? Try answering these questions:
- Which algorithm (MD5 / Sha256) is faster? Can you prove it using a dataset of at least 100 inputs and calculating the percentage speed difference?
- Is the percentage difference consistent if you increase the size of each individual input data by 100 times?
- Is there a scenario where you'd want to intentionally choose a slower algorithm? Why?
Hashing functions are one-way functions which is useful in security, but it's not fool-proof.
Say you hack into my application and are able to retrive all my users' hashed passwords. You find that the account with username boss@example.com
has this hashed password:
3e40106b8f4332e18d76e94124d9c82a
Based on the length of the digest you guess it's an MD5. You know that some users, particularly bosses, are lazy and they do dumb things like re-use their 4-digit ATM pin for their password. But the application required a password of eight digits, so they might have repeated the pin.
- What's this user's password?
- Would the user have been "more secure" if they used eight letters rather than eight numbers?
A "rainbow table" makes this reverse engineering much faster.
- Can you generate a CSV file that has two columns: the first column contains all possible 8-digit codes following the 4+4 rule above, then the second column has the MD5 digest for that input.
- If you now have an MD5 digest for an input that is expected to follow the 4+4 rule, how long does it now take you to "crack" a password?
- Could you generate the same file for the all words of eight or more letters in the dictionary? (hint: you have a text file dictionary on your filesystem at
/usr/share/dict/words
)