Ceci est une ancienne révision du document !
I recently enrolled in a short course on technical writing, and it got me thinking. Although our magazine is aimed at Ubuntu newbies, we have an established reader base that is not. So I am going to put it out there, would you guys prefer a more clinical approach to command & conquer, or should we continue with our casual conversation-like tone? Is it about the meat and potatoes – to get the job done, or do you prefer the scenic route. Would you like to know the why or just the how? Or would you prefer learning without knowing that you are? Would you prefer gamification?
Do let us know, so we can become more of what you want. Send us an e-mail on: misc@fullcirclemagazine.org
Now on to this month’s command and conquer. I am again writing this in response to questions in some of our telegram channels.
Btanon: What's the best way to hash passwords?
Srace: How can I delete my old passwords file so it can't be recovered?
I’d like to start by addressing the second question first. Firstly, if you do keep bitcoin wallets and bank passwords on your computer, it should be in an encrypted folder, as when it comes to your finances, you want to be doubly sure.
Linux has a utility called “shred”, as in file shredder. To find out more you can type: man shred
As it says, “overwrite a file to hide its contents, and optionally delete it”, do not assume anything. If we look at the arguments, a few stand out. The TL;DR version is that I remember it as USN, like the gym supplements, but the S is a Z.
Let’s dissect that. The -u removes everything at the end, think of it as clean up. The -z writes a file with all zeroes over your file, like there was nothing there. The -n lets you specify the amount of times to overwrite.
Now let's see it in action. Copy a FCM pdf file to a folder. Righ- click inside said folder and click on “open terminal here”. Now type: shred -u -z -n 6 issue201_en.pdf (replace that file name with your file) and hit enter. Poof* it’s gone. The default amount of times a file is hammered is three times. I doubled it up by specifying six. If you followed along, congratulations, you securely deleted a file.
Now let’s explain hashing as this confuses people. Hashing is a one-way function. Say it out loud. It is meant to be one way only. This is very simplistic AND wrong, but it helps to paint a picture. One plus two hashes to three, if plus was the hash. You can immediately see the problem, two plus one is also three. This *can happen in a hash, but it is unlikely. My message was one plus two, not two plus one. This is very important in password hashing, as you can imagine! While we will not discuss hashing algorithms, as it would take up the whole year, we can show you how to use them. We often see SHA256 sums in the same folder that you download a distro from. Think of this as a unique fingerprint; it is not, but think of it that way, as the chances of getting the same hash by changing something is like winning every lottery at once.
Let’s see that in action. I suggest using a text file as we can change the contents easily. Please follow along if you are a newbie. Create a folder and an empty file inside it:
touch fcm.txt
echo 1234567890 » fcm.txt
We now have a file with 11 bytes of data (shown top left).
Now type:
sha256sum fcm.txt
OK, the file is fingerprinted! Shown top right.
Now open the file in your text editor, and add a space after the zero and save it. Our file is still only 11 bytes in size. However, if we repeat the command above, we will get something completely different, due to a single space. Shown right.
And that is the short version. Both files contained only “1234567890” and you could not tell by typing the file out that anything had changed, but the hash does not lie. I dare you to keep adding spaces in different places, without changing the file size and see if you can get a hash, even resembling the first one.
You can do this with md5sum also: md5sum fcm.txt
This creates a shorter fingerprint, if you need it for a file. Just please don’t use it for passwords! To understand why, read up on rainbow tables: https://en.wikipedia.org/wiki/Rainbow_table
Homework: repeat the above exercise with md5sum
We used a text file in this issue, as it is easy to change something, but you can use this with other files too, like pictures, for instance.
When it comes to passwords, you’d need to hash them and salt them and probably hash the result as well. Just remember to keep the salt nowhere near the place you keep your hashes. The same goes for the passwords, it is best to discard them once you have the hash.
If anything was unclear, misc@fullcirclemagazine.org