Infinite Passwords?

When you create an account on a website the server doesn’t store your password, it stores a hash of your password. The most basic .htaccess security uses (I believe) an MD5 hash of your password.  The hash is one-way, so if someone captures the hash they can’t calculate your password.  They can, however, find another string of text that evaluates to the same hash. This is called a collision.

You could, in theory, hash a string of any length. So there are an infinite number of inputs. Some of those strings will collide with the hash for your password. How many? Well, subset of that infinite number, but still an infinite number. A smaller infinite number, if you will.

What’s my point? Just that given an unlimited password field length you would have not one valid password, but an infinite number of valid passwords. I think.

Leave a Reply