A few small things. You might call this nitpicking. And, as I wrote, I found the technical details generally accurate.
> "Then there is also the fact that having a fully-fledged graphical desktop environment running in the background at all times is not quite optimal to say the least. 99 percent of the time when cracking passwords, you will be staring
at a black terminal filled with white text, so using Windows, which is especially GUI-heavy, is usually impractical unless you are specifically
testing something or showcasing some process."
I am reasonably sure that the Windows UI has rather little practical effect on hashcat's speed, and this thread implies the same: https://hashcat.net/forum/archive/index.php?thread-8958.html
Also, 99 percent of the time when cracking passwords, I am not staring at a black terminal filled with white text.
(I am generally taking it a little bit personally when the author directly addresses me and tells me what I am probably thinking or doing.)
> "Behind a hash function are a series of complicated mathematical operations that make deriving the input from the output literally impossible."
I'd argue that the mathematical operations themselves are usually not that complicated. More importantly, the whole book seems to be about ways to derive the (probable) input of a hash function from the output. It is not literally impossible.
> "It is important to note, however, that hash functions are not truly random;"
As the author writes elsewhere, hash functions are deterministic and not random at all. Calling them not truly random seems to imply that they are somewhat random.
> "When encrypting a file or any kind of data with AES for example, the program leveraging AES will prompt you for a password. Yes, a password."
Yes, this is a book about password cracking, but there are lots of cases where programs use AES with a computer-generated key and won't prompt you for a password. E.g., TLS.
(Just to reiterate: I am not trying to diminish the author's work, I wanted to suggest ways for improvement. I might be wrong or overly pedantic.)
> I'd argue that the mathematical operations themselves are usually not that complicated. More importantly, the whole book seems to be about ways to derive the (probable) input of a hash function from the output. It is not literally impossible.
I think you're not being pedantic enough here. "Probable" is doing some heavy lifting. And the phrasing is "derive the input," which I think is fair to say. The best you can do with a proper hash is discover one or more possible inputs, but you're not deriving them from the output; the output is just used to check the result. The many-to-one nature of a hash precludes determining the exact input.
Fair point. I was initially thinking about rainbow tables. Taking a hash and looking up associated passwords in a table feels like deriving to me - but I'm not a native speaker so I might have a wrong feeling here.
(It is obvious that one cannot directly derive the exact input - but one can derive potential inputs and then use other means to find the exact one.)
> (I am generally taking it a little bit personally when the author directly addresses me and tells me what I am probably thinking or doing.)
I think it's a canonical way to generalize the audience as in "99 percent of the time when cracking passwords, one will be staring at a black terminal filled with white text" just as in the German "man". So with that in mind maybe you no longer have a reason to be offended :)
I absolutely agree. There were no other comments on this post when I wrote my comment. Thus, I wanted to encourage the author and provide some constructive feedback in case nobody else would reply.
A few small things. You might call this nitpicking. And, as I wrote, I found the technical details generally accurate.
> "Then there is also the fact that having a fully-fledged graphical desktop environment running in the background at all times is not quite optimal to say the least. 99 percent of the time when cracking passwords, you will be staring at a black terminal filled with white text, so using Windows, which is especially GUI-heavy, is usually impractical unless you are specifically testing something or showcasing some process."
I am reasonably sure that the Windows UI has rather little practical effect on hashcat's speed, and this thread implies the same: https://hashcat.net/forum/archive/index.php?thread-8958.html Also, 99 percent of the time when cracking passwords, I am not staring at a black terminal filled with white text.
(I am generally taking it a little bit personally when the author directly addresses me and tells me what I am probably thinking or doing.)
> "Behind a hash function are a series of complicated mathematical operations that make deriving the input from the output literally impossible."
I'd argue that the mathematical operations themselves are usually not that complicated. More importantly, the whole book seems to be about ways to derive the (probable) input of a hash function from the output. It is not literally impossible.
> "It is important to note, however, that hash functions are not truly random;"
As the author writes elsewhere, hash functions are deterministic and not random at all. Calling them not truly random seems to imply that they are somewhat random.
> "When encrypting a file or any kind of data with AES for example, the program leveraging AES will prompt you for a password. Yes, a password."
Yes, this is a book about password cracking, but there are lots of cases where programs use AES with a computer-generated key and won't prompt you for a password. E.g., TLS.
(Just to reiterate: I am not trying to diminish the author's work, I wanted to suggest ways for improvement. I might be wrong or overly pedantic.)
> I'd argue that the mathematical operations themselves are usually not that complicated. More importantly, the whole book seems to be about ways to derive the (probable) input of a hash function from the output. It is not literally impossible.
I think you're not being pedantic enough here. "Probable" is doing some heavy lifting. And the phrasing is "derive the input," which I think is fair to say. The best you can do with a proper hash is discover one or more possible inputs, but you're not deriving them from the output; the output is just used to check the result. The many-to-one nature of a hash precludes determining the exact input.
Fair point. I was initially thinking about rainbow tables. Taking a hash and looking up associated passwords in a table feels like deriving to me - but I'm not a native speaker so I might have a wrong feeling here.
(It is obvious that one cannot directly derive the exact input - but one can derive potential inputs and then use other means to find the exact one.)
1 reply →
> (I am generally taking it a little bit personally when the author directly addresses me and tells me what I am probably thinking or doing.)
I think it's a canonical way to generalize the audience as in "99 percent of the time when cracking passwords, one will be staring at a black terminal filled with white text" just as in the German "man". So with that in mind maybe you no longer have a reason to be offended :)
It's awkwardly phrased and doesn't really say what it intends to (though, the meaning is obvious after reading it a second or third time).
As for it being imprecise, it doesn't talk about any specific software that has any compatibility issues. It dismisses the topic out of hand.
I do think we should keep in mind the age of the author, which still makes it a very impressive achievement!
There being room for improvement is both acceptable and expected.
I absolutely agree. There were no other comments on this post when I wrote my comment. Thus, I wanted to encourage the author and provide some constructive feedback in case nobody else would reply.
1 reply →