Can IPFS crack passwords (i.e. help an attacker guess a password of which only a hash is known)?

From @Mithgol on Tue Sep 15 2015 12:51:18 GMT+0000 (UTC)

(inspired by Greg Slepak)

Yes: if a known hash is a multihash and if a text file containing the password (and only the password) was ever published, then a mere IPFS lookup will return the password in plain text form.

Even if the login’s owner have not ever published the password, such file may eventually be published by someone else.

Update: no, the hash is actually more complex; see below.


Copied from original issue: https://github.com/ipfs/faq/issues/37

From @jbenet on Tue Sep 15 2015 15:34:08 GMT+0000 (UTC)

Actually No, the plaintext file is wrapped with metadata so the hash changes.

And this is silly:

Even if the login’s owner have not ever published the password, such file may eventually be published by someone else.

If someone deliberately puts the pwd out like that, they could just as well tweet it out and tag you personally.

Maybe ask first before asserting one way or another?

From @Mithgol on Tue Sep 15 2015 16:25:54 GMT+0000 (UTC)

> the plaintext file is wrapped with metadata so the hash changes

Sorry, I’ve misunderstood the dependence of that hash from the file’s contents.

I’ve edited my original (wrong) answer and added a strikethrough to indicate the misunderstanding.

By the way, what are the elements of metadata that affect the hash?

For example, does the hash change if a file is renamed?

From @Mithgol on Tue Sep 15 2015 16:32:38 GMT+0000 (UTC)

…I’ve just ipfs add two equal files and got two equal hashes, so the metadata must be something else, not the name.

From @whyrusleeping on Tue Sep 15 2015 16:39:58 GMT+0000 (UTC)

if you do

echo "hunter2" | ipfs add

you will not get the hash of hunter2, you will get the hash of the merkledag protobuf containing the data hunter2 (plus some unixfs framing)

From @Mithgol on Tue Sep 15 2015 16:40:37 GMT+0000 (UTC)

Ah, I see. I get it. It’s not even a hash of that file’s content. It’s a hash of an object that has links and blocks and whatnot.

From @jbenet on Tue Sep 15 2015 17:58:34 GMT+0000 (UTC)

yep, thanks for editing :smile: :+1: