Mi Mi haaru haaru haaru kihineh adhives I have never ate thag saan i hope so too so too much yoh can you deliver a big big big big answers are are we gonna do you know know know know how many pounds in a business question and i i saw that you get a chance to make vanilla ice cream is a language and its
I completely agree, I watched so many videos trying to understand why SHA would even be used, and none of them answered it until I watched yours. And you had fantastic content through the whole video as well, so thank you.
You earned a sub. I really love the way you explain what hashing is and even gave an example on how to use it for storing passwords. I didn't even notice that it was almost 20 minutes that I was listening to your lecture. 10/10 would recommend this channel to other people again.
I had the same thing. At first I thought that this video is veeeery long. But the end come much sooner that I had hope for. Very useful information without any stupid nonsense and intros
Showing how the birthday problem is a hashing algorithm computation more directly allowed me to finally make the connection I needed. I've almost finished my applied math undergrad and com sci undergrad and no one explained these concepts so clearly! Maybe I just needed to see it presented differently, but this worked wonders for me to link my math to it.
This is a great video! Your explanation is very to the point without any fluff and presented in a way that doesn't make me wander to the next video. Thank you for the information in such a presentable way!
@16:35 I would like to disagree about "salt" Salt is technically speaking a compound that can bind either positively charged ion or negatively charged ion except hydroxide ion (OH-) and hydrogen ion(H+). In some field salt is used as a mode of transport through bonding with adjacent ions. When the condition is right, the bonding will broken down and release the appropriate content. One example is calcium carbonate. When dissolved with hydrochloric acid, calcium is released from carbonate ions. So imagine this analogy to the hashing it is quite similar.
Thanks for the video Professor. Very clear explanation to follow. Hashing technique was particularly useful for us in de-duplicating big data sets. Have shared it in a video.
Appreciate the detailed breakdown! Just a quick off-topic question: I have a SafePal wallet with USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). How should I go about transferring them to Binance?
8:16 I have a question: Lets say the password is p="hello" and the salt is s ="42" so p = p+s = hello42 now if I hash("hello42") = h1 I will get a different hash result as when I would hash("hello") = h2 right? I would safe the with (random)salt generated hash h1 in my database. Now on a different day, the user wants to login into my webpage. he uses the password "hello", my code adds a random salt to it and hashes it (because its random it wouldnt be again 42, lets say this time the salt is s=11). So the new hashed password would be hash(hello11) and if I compare it with the hash("hello42) in the database I would not get a hit. How can I find the hash in the database if I use every time different salts for the same password?
The random hash value is chosen when the password is created. The seed and the hashed password are both stored in the database. There is not a new seed for each login attempt.
@@shadsluiter Nothing in particular. I know about using check sums to verify a file's integrity, and I was curious how it works. You also give a lot of contextual additional information, such as what rainbow tables are and why md5 is to be avoided, which was really helpful.
So in other words, whenever a service tells me that my new password is “too similar” to my old password, they aren’t hashing my passwords and basically fucking me over?
@@weltrepublik But if a password is changed by even a single letter and the hashes come out completely different, then they should have no way of knowing that's it is similar. Thus they must be saving my plain text password in order to compare. Doesn't sound like they are defending me at all.
@@Applest2oApples it's not that they're neccessarily saving it as plain text, but to make it harder to brute for hackers. fx. most people use the same password on every site, so say a hacker gets your password from another not so secure site, but doesn't exploit it in a way you notice, he now has access to everything you have. now X time later, your pasword gets "expired" on a site, and you change it to something similar, then the next time the hacker tries to login to that site, he will be denied. Now instead of starting to brute force your new password from scratch (A-Z), almost all hackers will start brute forcing through variations of the old password instead, because most people are lazy, so there's a high propability, that only 1 or 2 letters have been capitalised, or changed and etc.... so just changing a few letters will make the hackers use relative short time to brute your "new" password" (from minutes to a few days), where a totally new password will force them to start from scratch, which means the hacker basically have to be incredibly lucky to crack you new password, as long as you use somewhat secure passwords (upper and lower case, numbers and special chars, and a good lenght) the above example is also why it's important to use different passwords for each "important" site you use, and not just variations... hope it made it somewhat clearer :)
@@jankastbjerg4017 the fact that a password is similar to a previous one is besides the point, the point is the website knows what your password is, and doesn’t only have it’s hash saved
the common practical way: 1) encrypt+hash+salter 2) Data send through encrypted package 3) Unencrypt the received data 4) Check on the hash and token should return valid/true. 5) do the things... Regarding MD5, shouldn't really use it, if still insisted, must merge with add-on unique hashing algorithm to generate the only unique result. In reality, there are still tons of systems still using the MD5 hashing basis but they modified with other unique hashing algorithm.
Awesome video. New stuff learned. But I don't understand everything. What's wrong with md5? There are rainbowtables. Why not just add let's say SHA-2 hash next to md5 hash of those passwords? And what about salt? Where salts are stored on server? Special datatbase? Is there unique salt for each user? If hackers can steal password db what's the problem with stealing salts? Just extra steps which are not guarranteed to be successful?
@@shadsluiter Well, I am a Network Engineer and Linux Engineer, I am currently exploring blockchain infrastructures, cryptocurrencies and IPv6, all of them require security. Do you broadcast live via UA-cam from time to time?
@@5gun1 here is the process of SHA256 (hashing technique used for mining bitcoins and ethereum) ua-cam.com/video/f9EbD6iY9zI/v-deo.html The complexity of it makes it nearly impossible to reverse.
Excellent video and explaining the technology. However, I have a situation where I don't know how I would adapt the concepts you explained because the scenario is slightly different. Your example works interactively by comparing user passwords with stored hash values. My scenario is for an automated process (no user interaction at all) and the credentials are self-contained in the program package. These must not be known to the user or anyone who can get a hold of the file(s) containing them. Here is a live example … We have a company application that requires administrative rights to execute but our users only have standard Windows user permissions. I repackaged the application into a single EXE executable script to conceal the admin credentials that are included in the script code. However, I discovered that compiling the script is not enough because the EXE file can be decompiled or someone can use other programs to see the contents. How can I adapt the concepts you explained in your video this my scenario? I need to be able to execute a self-contained application package locally (no network or internet resources) and with specific credentials while protecting said credentials from the local user or anyone who might get a hold of the EXE file containing the credentials. The application needs to use these credentials at run time to perform its tasks. Your insight is most appreciated.
You are correct in assuming that anything you embed in an EXE file is essentially open source and viewable. Even a hashed password embedded into an EXE is not helpful because the hacker can disassemble and use the hashed credentials without knowing what the exact password is. The issue is that your setup conflicts with the Windows security concept. An program (executed by a non-admin user) needs to be escalated in order to run with administrative privileges. The UAC prompt and escalate are the only ways to accomplish that. You could now carry out some or all of the following: - Determine the exact cause of the app's needs and devise a solution. - Turn off UAC. - Give users administrative rights on their PCs. I would personally begin with the first suggestion above. What is missing from the application that it needs? Does it have to write to a disk area that is normally secured? For instance, into a C:Program Files subfolder? If so, you can provide non-privileged users access to the folder or files it needs to access by opening their security settings. Does it have to make changes to the register in a secure area? the same as above Set the user's access rights so they can read and write to that or those registry locations (s). Just so you know, successful installers in the current UAC-based security paradigm frequently follow the pattern I just mentioned. The installer is elevated to enable these tasks, after which the application can operate for that user and access the resources it requires.
Thank you so much for your quick response. The information that you shared will be helpful in setting up application installations as you mentioned. I guess I was too vague in my question to you because I thought the solution would be sufficient to tackle both main scenarios that we have in our environment since they are so similar. I should also mention that I can do some scripting but I’m not a software developer. If you would be so kind to share your insights, I would like to be more specific in the following scenario: I have an automated reporting process that does file transfers between a local machine to an Amazon AWS S3 online folder. The Amazon user account provides an “Access Key” string and a “Secret” string of characters which I can use like a username and password with an external utility called “S3.exe” to do file operations. The main script that runs automatically in the background, without user knowledge or interaction passes these embedded login strings as command-line arguments to the “S3.exe” utility which carries out the file operations. I’m looking for a way to keep these login strings that are in the main script protected since they need to be available on the local machine when the process runs. I am considering a few different ideas like keeping the login strings in a separate file from the main script, or in the registry somewhere. Maybe use as an encryption password (or salt) something that is unique to the computer hardware so that the encrypted file is tied to the individual machine. Or maybe a way I can rotate encryption information as to make it more difficult. I don’t know. I have been pulling my hair for weeks trying to figure out how to best resolve this issue since IT Security is putting some pressure on me and wants to shut down my project. Any thoughts are most appreciated.
Very good video. That said, I don't think it is accurate to say that increasing the hash length reduces the chance of a collision to "absolutely zero." Certainly the probability of a collision occurring would be incredibly low, but people still get struck by lightning even though the probability of that occurring is vanishingly small.
Would it be fair to say that a 100-character hash is way less likely to go through collision when compared to people being struck by lightning, which is a 1 in 60,000 chance scenario? The exponentiality is vastly different, no?
Thank you for the great video! I found it really helpful! I have one question regarding the fraud using hash function collisions. How can an attacker "take" the signature of the original document and transfer it to the document prepared for fraud if we talk about a digital signature using private/public keys?
![Lp. Сердце Вселенной #60 РОЖДЕНИЕ ЛОЛОЛОШКИ [Финал] • Майнкрафт](http://i.ytimg.com/vi/YoR0pAV9FVQ/mqdefault.jpg)
Eloquent but simple. All the hashing vids that I watched before this were so confusing. You did a wonderful job, thank you so much!
You're very welcome!
Saya manma aa dheytherey and then read this is
Mi Mi haaru haaru haaru kihineh adhives I have never ate thag saan i hope so too so too much yoh can you deliver a big big big big answers are are we gonna do you know know know know how many pounds in a business question and i i saw that you get a chance to make vanilla ice cream is a language and its
I completely agree, I watched so many videos trying to understand why SHA would even be used, and none of them answered it until I watched yours. And you had fantastic content through the whole video as well, so thank you.
The fact that I can listen to a programming professor for free is incredible
You earned a sub. I really love the way you explain what hashing is and even gave an example on how to use it for storing passwords. I didn't even notice that it was almost 20 minutes that I was listening to your lecture. 10/10 would recommend this channel to other people again.
I had the same thing. At first I thought that this video is veeeery long. But the end come much sooner that I had hope for. Very useful information without any stupid nonsense and intros
Well laid out. Easy to understand. Your voice wasn't monotone. Thank you. Good video.
Glad you liked it! What other things are you studying lately?
Loved the way you simplified everything! Great work
This in one of the simplest and perfect explainations that i have ever seen in my life
Really enjoyed this presentation, very clear and easy to understand. Great Job. I am subscribing!
I wish I have found this channel earlier. It's much clear and precise compared to the many hyped 'super programmer' UA-camrs.
This lecture is golden!!
Helped me clear a lot of basics and really understand the concepts!
Showing how the birthday problem is a hashing algorithm computation more directly allowed me to finally make the connection I needed. I've almost finished my applied math undergrad and com sci undergrad and no one explained these concepts so clearly! Maybe I just needed to see it presented differently, but this worked wonders for me to link my math to it.
My english is not that good but i did understand almost everything. Thank you sir. Greetings from Morocco
This is such an amazingly created video. Thanks for covering the multiple related aspects in one crisp video.
This is my first time watching one of your videos and I loved your teaching style. Subscribed!!
This is a great video! Your explanation is very to the point without any fluff and presented in a way that doesn't make me wander to the next video. Thank you for the information in such a presentable way!
Very concise and crystal clear. Thank you!
Even a child can understand this .
Very well explained sir
@16:35
I would like to disagree about "salt"
Salt is technically speaking a compound that can bind either positively charged ion or negatively charged ion except hydroxide ion (OH-) and hydrogen ion(H+).
In some field salt is used as a mode of transport through bonding with adjacent ions. When the condition is right, the bonding will broken down and release the appropriate content. One example is calcium carbonate.
When dissolved with hydrochloric acid, calcium is released from carbonate ions.
So imagine this analogy to the hashing it is quite similar.
I'm so glad I found this video. You did an incredible job explaining this.
Glad you enjoyed it! What are you studying?
Awesome video. Was totally not expecting to see judaiism/rabiis mentioned. Very cool history insight!
Finally a video that explains it clearly!! Thank you!
I love this thorough explanation of Hashing and Encryption. This is awesome work.
Thank you so much!
thank you so much for a simple easy to comprehend answer with no filler. nice
Thanks a lot Shad ....was simple and easy to digest.Thanks for your time.Laughed at the last joke
Amazingly well explained sir. Very grateful for it. Subscribed.
Thanks for the video Professor. Very clear explanation to follow. Hashing technique was particularly useful for us in de-duplicating big data sets. Have shared it in a video.
Appreciate the detailed breakdown! Just a quick off-topic question: I have a SafePal wallet with USDT, and I have the seed phrase. (alarm fetch churn bridge exercise tape speak race clerk couch crater letter). How should I go about transferring them to Binance?
Thank you for all your work and even more for educating here on youtube your explanation is so good even I could understand it
Highly valuable and with great and ilustrative examples.
Great explanation....very easy language used which helps in understanding quick...thank you professor sir
You are most welcome. Thank you for coming
This is so good. Thank you professor Sluiter!
Wow! Awesome explanation sir.
Clear and well explained video, the work of a professional :-) Thank you
Awesome explanation, was always wonder what is Salting!
Commendable explanation.
Thanks for sharing.
1:57 So we are going to ignore the subtle shade Mr Shad Sluiter pulled here against windows and mac?..xD really good video too
still...he is using mac
8:16
I have a question:
Lets say the password is p="hello" and the salt is s ="42" so
p = p+s = hello42
now if I hash("hello42") = h1 I will get a different hash result as when I would hash("hello") = h2 right?
I would safe the with (random)salt generated hash h1 in my database.
Now on a different day, the user wants to login into my webpage. he uses the password "hello", my code adds a random salt to it and hashes it (because its random it wouldnt be again 42, lets say this time the salt is s=11). So the new hashed password would be hash(hello11) and if I compare it with the hash("hello42) in the database I would not get a hit.
How can I find the hash in the database if I use every time different salts for the same password?
The random hash value is chosen when the password is created. The seed and the hashed password are both stored in the database. There is not a new seed for each login attempt.
simple, crisp and clear ...
subscribed...
Thanks for the sub!
Thank you, your videos are very enlightening and entertaining as well as practical, I got great help from you
Thank you professor Shad! Very thorough and easy to understand.
Thank you for this. This is very helpful and easy to understand.
Thank you very much. I enjoyed your way of explaining. Clear simple and straight to the point. Thanks again
Thank you. What kinds of things are you trying to learn?
Very greatly explained!
Thanks for the video!
Finally understood this. Thank you Shad!
Thank you for visiting.
Thank you, the explanation was easy and valuable at the same time.
Great video. A pleasure to watch.
Glad you enjoyed it! What kind of things are you currently studying?
@@shadsluiter Nothing in particular. I know about using check sums to verify a file's integrity, and I was curious how it works. You also give a lot of contextual additional information, such as what rainbow tables are and why md5 is to be avoided, which was really helpful.
Thanks so much Pr. Shad! This is a great presentation. Needless to say that I subscribe to your chanel
So in other words, whenever a service tells me that my new password is “too similar” to my old password, they aren’t hashing my passwords and basically fucking me over?
They might be encrypting your password
They're mostly trying to deffend your account from successful brute-force attack
@@weltrepublik But if a password is changed by even a single letter and the hashes come out completely different, then they should have no way of knowing that's it is similar. Thus they must be saving my plain text password in order to compare. Doesn't sound like they are defending me at all.
@@Applest2oApples it's not that they're neccessarily saving it as plain text, but to make it harder to brute for hackers.
fx. most people use the same password on every site, so say a hacker gets your password from another not so secure site, but doesn't exploit it in a way you notice, he now has access to everything you have.
now X time later, your pasword gets "expired" on a site, and you change it to something similar, then the next time the hacker tries to login to that site, he will be denied.
Now instead of starting to brute force your new password from scratch (A-Z), almost all hackers will start brute forcing through variations of the old password instead, because most people are lazy, so there's a high propability, that only 1 or 2 letters have been capitalised, or changed and etc....
so just changing a few letters will make the hackers use relative short time to brute your "new" password" (from minutes to a few days), where a totally new password will force them to start from scratch, which means the hacker basically have to be incredibly lucky to crack you new password, as long as you use somewhat secure passwords (upper and lower case, numbers and special chars, and a good lenght)
the above example is also why it's important to use different passwords for each "important" site you use, and not just variations...
hope it made it somewhat clearer :)
@@jankastbjerg4017 the fact that a password is similar to a previous one is besides the point, the point is the website knows what your password is, and doesn’t only have it’s hash saved
Fantastic explanation. Thank you!
Great explanation... Thank you very much!!!
the common practical way:
1) encrypt+hash+salter
2) Data send through encrypted package
3) Unencrypt the received data
4) Check on the hash and token should return valid/true.
5) do the things...
Regarding MD5, shouldn't really use it, if still insisted, must merge with add-on unique hashing algorithm to generate the only unique result.
In reality, there are still tons of systems still using the MD5 hashing basis but they modified with other unique hashing algorithm.
wow, thank you so much. "... never see a windows or Mac ..." joke cracked me up 🤣
Quality information ..i must say...subscribed...thanks a lot!
Awesome video. New stuff learned. But I don't understand everything.
What's wrong with md5? There are rainbowtables. Why not just add let's say SHA-2 hash next to md5 hash of those passwords?
And what about salt? Where salts are stored on server? Special datatbase? Is there unique salt for each user? If hackers can steal password db what's the problem with stealing salts? Just extra steps which are not guarranteed to be successful?
Wow - that was fantastic! Really well presented - thanks!
Looking forward to an easy explanation on SHA algorithm!!
Excellent content and examples, definitely going to continue checking your videos professor ^^
Thank you. What kind of things are you studying?
@@shadsluiter Well, I am a Network Engineer and Linux Engineer, I am currently exploring blockchain infrastructures, cryptocurrencies and IPv6, all of them require security. Do you broadcast live via UA-cam from time to time?
Thanks for your teaching, wonderful job!
Amazing video, learned so much!
Great job, useful video, simple explanation, thank you very much!
Great explanation, thanks sir!
What is the difference between digital signature and hashing? Can be both used at the same time? Tahnk you for this very good video!
Thank you professor Sluiter
I really enjoying learning this, thank you!
That so well done and eloquently describes
Main difference is that encryption is 2 way(Can be reverted to original string),
and Hashing is 1 way(Cannot be reverted to original string)
Why can’t it be recessed
@@5gun1 here is the process of SHA256 (hashing technique used for mining bitcoins and ethereum) ua-cam.com/video/f9EbD6iY9zI/v-deo.html
The complexity of it makes it nearly impossible to reverse.
That video is gold, thank you!
Excellent video and explaining the technology. However, I have a situation where I don't know how I would adapt the concepts you explained because the scenario is slightly different. Your example works interactively by comparing user passwords with stored hash values. My scenario is for an automated process (no user interaction at all) and the credentials are self-contained in the program package. These must not be known to the user or anyone who can get a hold of the file(s) containing them.
Here is a live example … We have a company application that requires administrative rights to execute but our users only have standard Windows user permissions. I repackaged the application into a single EXE executable script to conceal the admin credentials that are included in the script code. However, I discovered that compiling the script is not enough because the EXE file can be decompiled or someone can use other programs to see the contents.
How can I adapt the concepts you explained in your video this my scenario? I need to be able to execute a self-contained application package locally (no network or internet resources) and with specific credentials while protecting said credentials from the local user or anyone who might get a hold of the EXE file containing the credentials. The application needs to use these credentials at run time to perform its tasks.
Your insight is most appreciated.
You are correct in assuming that anything you embed in an EXE file is essentially open source and viewable. Even a hashed password embedded into an EXE is not helpful because the hacker can disassemble and use the hashed credentials without knowing what the exact password is.
The issue is that your setup conflicts with the Windows security concept.
An program (executed by a non-admin user) needs to be escalated in order to run with administrative privileges. The UAC prompt and escalate are the only ways to accomplish that.
You could now carry out some or all of the following:
- Determine the exact cause of the app's needs and devise a solution.
- Turn off UAC.
- Give users administrative rights on their PCs.
I would personally begin with the first suggestion above. What is missing from the application that it needs?
Does it have to write to a disk area that is normally secured? For instance, into a C:Program Files subfolder? If so, you can provide non-privileged users access to the folder or files it needs to access by opening their security settings.
Does it have to make changes to the register in a secure area? the same as above Set the user's access rights so they can read and write to that or those registry locations (s).
Just so you know, successful installers in the current UAC-based security paradigm frequently follow the pattern I just mentioned. The installer is elevated to enable these tasks, after which the application can operate for that user and access the resources it requires.
Thank you so much for your quick response. The information that you shared will be helpful in setting up application installations as you mentioned. I guess I was too vague in my question to you because I thought the solution would be sufficient to tackle both main scenarios that we have in our environment since they are so similar. I should also mention that I can do some scripting but I’m not a software developer.
If you would be so kind to share your insights, I would like to be more specific in the following scenario: I have an automated reporting process that does file transfers between a local machine to an Amazon AWS S3 online folder. The Amazon user account provides an “Access Key” string and a “Secret” string of characters which I can use like a username and password with an external utility called “S3.exe” to do file operations. The main script that runs automatically in the background, without user knowledge or interaction passes these embedded login strings as command-line arguments to the “S3.exe” utility which carries out the file operations.
I’m looking for a way to keep these login strings that are in the main script protected since they need to be available on the local machine when the process runs.
I am considering a few different ideas like keeping the login strings in a separate file from the main script, or in the registry somewhere. Maybe use as an encryption password (or salt) something that is unique to the computer hardware so that the encrypted file is tied to the individual machine. Or maybe a way I can rotate encryption information as to make it more difficult. I don’t know. I have been pulling my hair for weeks trying to figure out how to best resolve this issue since IT Security is putting some pressure on me and wants to shut down my project.
Any thoughts are most appreciated.
Very good video.
That said, I don't think it is accurate to say that increasing the hash length reduces the chance of a collision to "absolutely zero." Certainly the probability of a collision occurring would be incredibly low, but people still get struck by lightning even though the probability of that occurring is vanishingly small.
Would it be fair to say that a 100-character hash is way less likely to go through collision when compared to people being struck by lightning, which is a 1 in 60,000 chance scenario? The exponentiality is vastly different, no?
Excellent, just excellent.
Awesome explanation ++++++++++++ Thank you
Great explanations, thanks a lot!
Thanks lots Pro you make it clear even though im not computer background
Excellent explanation. Thank you!
very good and nicely presented content
Superb, thank you for sharing
This was such a great explanation. Thanks!
Thank you for the great video! I found it really helpful! I have one question regarding the fraud using hash function collisions. How can an attacker "take" the signature of the original document and transfer it to the document prepared for fraud if we talk about a digital signature using private/public keys?
great video, but I am also wondering the same thing.
Thank you Sir for your valuable information.
Aaaaand, now I get it. THANK YOU!
Thank you so much for your explaination.
Excellent material. Thank you!
Glad it was helpful!
well explained video, learnt a lot ..
Awesome Awesome 🤩 . I’ve learned a lot!🤝
Thank you so much for this video! Enjoyed it
Beautiful video
Love this channel
Nice video, helped me understand a lot
Thanks , very simple and easy complained 🌹
Hello! Thanks for the great video and explanation!
Hi, how can 64 units represent all the combination of all the files and or passwords in the world? thank you
Amazing lacture. Thanks
thank you so much you explained it perfect
Thank you so much, sir, it was a great speech and very helpful
Thanks and welcome
how is classical symmetric cipher different compared to modern cipher ?
Modern ciphers use longer strings of keys. Essentially they use longer passwords which makes them more secure.
Whats the difference between checksum and a hash?Are they just the same thing ?
Thank you for making this video. good presentation
My pleasure! Are you studying computer science or something similar?
This was super informativem thank you!
Thanks Professor 🎉
thank you very much for this! very helpful!
But if the hasing value also changed according to changed document by attacker and give to receiver