Episode 525 – Sea Salt for your Hashes

While on Vacation at the beach Darren and Shannon talk password security. Shannon covers her favorite free open source password safe, Keepass, and how it can take the nightmare out of remembering a different password for every site. Then, Darren goes over salting and what it does to protect your password’s hash on the back end.

Download HD Download MP4 Download XviD Download WMV

With the dozens–or in the case of many administrators hundreds–of passwords one must use and remember every day, how is one to ensure a secure and original password every time? Sure you could come up with some crazy algorythm that involves information in the WHOIS record of the domain you’re logging into, or you could live in normal land and get a password safe. Shannon goes over her favorite free open source offering KeePass.

Using industry standard encryption to keep your passwords safe, KeePass is the most full featured password safe we’ve tested. With versions for just about every OS under the sun, including many smart phones, there is no reason to ever reuse a password again.

If you’re a fan of KeePass and have a story or plugin you want to sare with us be sure to hit up [email protected]!

When it comes to storing passwords on the back end, whether they be in a database or flat file, it’s important to keep ’em salted. In this episode Darren goes over what Hash salting is — what it means to users, administrators, and would-be password crackers.

Don’t forget about our first ever official Hak5 Meetup at Busch Gardens Williamsburg on August 15th. Find all the details at hak5meetup.squarespace.com or RSVP on Facebook.


  • Luke

    Gah! A couple of season’s back Wes and Darren tell me not to store my passwords in some sort of program like this so I did. Now suddenly it’s okay!

  • Edvardas

    I didn’t like the idea to store all passwords in a single place. I think this gives you a single point of failure, you should remember to backup the password database (in case your usb stick/hard drive dies).

    Regarding post-it notes. In one of my former workplaces I stuck like 50+ post-it notes around the monitors. The funny thing was that none of them was a password used 🙂 Not sure if anyone tried them.

    P.S. Was the white balance off during the episodes, or you guys had sun burn?

  • JC Denton

    I agree with Edvardas. Single point of failure, not to mention a nice keylogger (hardware or software) snagging one password to get many passwords. *p00f* This just seems like a bad idea. get some form of biometric device with encryption on top of that if you want to go the storing of multiple passwords route.

  • Observer

    Or, the Hak5 crew got rooted because of a 0day WordPress vuln, but for some reason not related to security didn’t fess up to it. Instead, they decided to put a show out about how to not reuse passwords, especially between security zones. You mean, like your forumID and the root for your shell account?

    Google zf05.txt if you think I’m just making things up. There is always someone out there better than you, there’s no shame in it. There is shame in getting called out and pretending everything is fine.

  • Guy with new nickname

    Damn, my nickname and one of my passwords is in this file.
    I used to have 5 diffrent passwords, which I used for all my logins. But now as my password is that much close to my nickname on the internet, I changed every login and use diffrent passwords for all my logins.
    But I still write down all my passwords on a piece of paper and keep it hidden in my room, next to my credit-card-PIN and all that.

  • -=Boris=-

    not bad ep but have to say nothing better then paper and pen to write down your passwords 😀

    Observer: ur rite i google it, found the file and it’s pretty funny to read they even talked about Mubix to lol

  • haxwithaxe

    OH GOD!! That file has my nick(hax) in the title. It’s not mine I swear.
    Also gotta say I don’t trust anyone including my self with passwords written or electronically stored. My first hacking experience was finding my mom’s passwords “hints” written on a piece of paper and typing variations into the dial-up login ’til I got it right.
    If I can’t remember it, it doesn’t work. I have my own character replacement systems for work and personal use so even my hacker coworker can’t use my crazy passwords to figure out my personal accounts.

  • Darren

    @Observer, nobody is pretending everything is fine. In the same token we’ve been on vacation during the last two shoots and haven’t had a chance to put together a proper follow-up. Once I have something intelligent to say about it I will. Until then I’m still getting familiar with the situation.

  • L34N


    Of course a show about hacking is going to be attacked more often than other sites. Even Mitnick got owned. However, I do recall a few episodes ago, Darren saying they were hacked, he wasn’t hiding it. Its just sad that people have to spend many sleepless nights trying to attack someone who has a 40-50 hour/week job, busts his ass trying to put together videos for us, and wants to take a lil vacation every once in a while. I can barely post a youtube video without getting distracted a million times.

    From zf05
    “Oh dear. See, Hak5 are a bunch of no mark wannabes. They contribute nothing to security but entertain people who own iPhones and macs and study CS. These people get their buzz from claiming to be hardcore, leet and hackers.”

    There are so few videos of iPhones and macs. Apparently someone didn’t actually watch the videos before complaining.

    Also, the whole “They contribute nothing to security” is completely false. There are so many IT admins/Security geeks out there that don’t have a decent grasp on whats really going on in the world. Hak5 is providing that insight to these IT Admins as well as the geeks that just love to play with stuff. While I don’t approve of companies hiring IT Admins with just a basic background, it is becoming increasingly popular in today’s world. They need more training. And, if Hak5 can provide some basic to advanced knowledge into the hacker community, that is a step in the right direction. Why would they post videos on how to reverse engineer a Microsoft patch? The people who would actually be able to do that, wouldn’t watch the show to learn. They would watch it for the entertainment. Who cares if they also throw a few vids up of a Wii hack. Everyone needs to have some fun.

    I used the “Multipass” video in a meeting to describe how easy it is to get attacked. I knew it, but no one would listen to me. I also used it to provide our own set of USB keys for our Tier 1 techs to be able to troubleshoot and resolve problems more efficiently. I added the Switchblade stuff as well so they can dump log files, net stats, hosts files, etc. so I can dig through the content without having to be at the machine. Hak5 was useful here.

    I’m also using the NetWitness/tcpdump/tcpextract stuff as a training session in security conference coming up. Hak5 was useful here as well.

    We’ve even used the OpenFire stuff.

    I am a Security Analyst for a higher education institution. I do not have time to figure out how to put things like the multipass together(just for clarification, not having time and not having knowledge are two completely different things). I’m too busy trying to perform internal audits and keep up with 0day attacks on all of our systems. Hak5 shows me new ways to better keep track of what the hell is really going on with my systems. They also show me how to have some fun when I go home and the g/f wants to play the Wii. She loves that “Move the pussy” game.

    So go ahead and continue to bitch while posting proof of your complaints. Everyone knows there is always someone better out there. No one is hiding anything. Its people like you that piss everyone off and make life less enjoyable.

    Grow up and stop posting shit that you had nothing to do with. Unless you’re willing to admit that you hacked them.

  • carl campbell

    Dont ever hate on HAK5; they do it for the love of the game. U watched the episode and used the forums to post, would’nt a “thank you” be more appropriate?

    Good episode..you said Matt would be back this week..oh well, keep up they good work

  • Observer

    Apologies to Darren, etc. L34n, point taken and you’re right. It’s a great show, and the first post wasn’t deserved or intended to be that pointed. The forums responsibly disclosed the original issue in a timely fashion.

    If I could revise the previous it would have been…
    Having a tool to store passwords should allow you to take advantage of policy generated random passwords, preventing predictability, and easily maintain a 1::1, password::site. The issue (mentioned in hak5) causes you to have 1 passphrase (to the vault) that is a single point of failure since it’s unlikely you’ll remember random strings.

    As an add on to snubs great suggestions, perhaps multiple keyfiles creating defense in depth is a workaround. Having all your passwords and the key to those passwords on a system is an issue. If your passfile is on a system with a keylogger (usb on public terminal), you’re in the same boat or worse than if you reused passwords. If you had a keyfile for banking, one for social sites, one for all others, you could protect those keyfiles differently, and in relation to how valuable they are to you. IE, the passphrase for the bank key file is never entered on an untrusted system, and is not predictable if another passphrase were compromised.

    To rephrase, you don’t have much control over a lot of the systems you use to save time or stay connected (some don’t even use salts), and we all fall victim at some point.

    Again, sorry for the out of character trolling, hope you had a restful time at the beach….

  • PapaBear

    Good episode lady and gentleman. Glad to see you guys relaxing and enjoying time with family and friends. Many props for even making an episode while you are on vacation (most wouldn’t have even bothered). Can’t wait for season 6.

  • rockstar

    pretty sad that the camera guy just HAS to keep fucking saggy boobs in the shot, at the expense of cutting off someones head in the shot, leaving the main focal point a neck. This is a hak show, not an excuse for snubs to fucking show off like a whore.


  • JC Denton

    You cocksucker rockstar! How could you say that about her.
    Oh I know. because you are hidden behind a computer. If I was Darren and I knew who you were in real life I would knock the fuck out of ya for saying that.

  • L34N

    When did everyone become so screwed up. Shannon is beautiful! Even my girl thinks so. Btw.. you know they’re loggin IPs rockstar.

    Thank you for changing your mind. Its very interesting to see someone who got slammed by so many actually man up and take it back. Very respectful.

  • [3w`Sparky]

    first off Rockstar you are a cock star

    15 mins into the episode the house in the background seems to have a face on it , sad i know i spot that kind of sad crap.

    and i’m thinking the red skin is one of two things , bad lighting or that shirt ;o)

    cheers guys, enjoy your hols

  • rockstar

    “When did everyone become so screwed up. Shannon is beautiful! Even my girl thinks so. Btw.. you know they’re loggin IPs rockstar.”


    srsly, who cares. cant get an address from an ip anyways.

  • haxwithaxe

    @ rockstar: actually you can get an address from an ip. i did that for a project a work.
    google geoip
    also the adjetives you used were 1) unnecisary 2) not appropriate 3) off topic and 4) fals. snubs is hot you’re wierd if you think otherwise.

  • Wetwork

    Is it just me or is Snubbs getting hotter and the shows getting shorter?? As far as passwords being stored in one place that is just like holding Satan in Pandora’s box….just a bad idea. for several shows this past season they have done quite a few epi’s that deal with cracking all sorts of encryption and even Darren eluded to it himself in this very episode with his blurbs on salting. I don’t care what program that you use and how great the encryption is on said programthe best way to store the passwords that you use is in your own head

    I have two sayings for you
    Security is a warm blanket of Mistrust and Safest safe can be cracked with a wisper

    Have a good vacation and lets try to put some more content in our content instead of rehashing the same things over and over again such as how to convert Physical to virutal VmWare Guests

    Kudos on the end of season 4

  • John

    Hey hey,

    First of all: Snubs looks gorgeous.

    Besides that:
    I dont like to store all the passwords at one place either but this program kinda replaces all passwords by 1. Just make a program (or figure out, but we’re geeks arent we) a random password for each login and store it in that program…I think there are some ideas there.

    About the hashing: very intresting! Currently making a mailclient in java and I’m very excited about trying (yes trying) implementing it.

    Have fun guys!

  • rockstar

    @ rockstar: actually you can get an address from an ip. i did that for a project a work.
    google geoip

    That doesn’t give you the EXACT address of an IP, only a general area.

    Nice try.

  • Freyberger

    I give mega props to the hak5 Team!! You put on a show that is worth my time watching. I have just been in tune for the last year but have gone back and TiVo’d the old stuff too. I have been in the hacking and Phreaking game from way back. My first adventures were with TRS80 Model 1, Ti994a, C=64 & Amiga… Been trudging through it all for over 30+ years.

    Who ever crashed the site I say Thanks for nothing! 🙁

    To The TEAM at Hak5 thank you and keep up the great work.

    You inspire me to follow my technolust

  • crazzymoocow

    i love the keepass thing im tyred of forgetting usernames and passwords if i ever get back in to my netgear at least i can store my new name and password and maby i wont tair any more hair out because i locked my self out off my crap again

  • stephen

    once somebody has your IP and you haven’t taken precations, one can then find out your service provider and then do a little social engineering to hack your service provider and get your exact location… and if you don’t think it is possible, you will be thinking twice when darren is at your front door about to shove his acer one up your… well you get the point…

    geoip may not be able to give an exact location it can give somebody a place to start looking…

    btw, I thought it was pretty nice to see snubbs wearing the blue dress… my gf even thought she looked very nice…

    can’t wait for next season… enjoy your vacation…

  • Pingback: One hour sites « Techknowlogick's Blog

  • Anon since that text file got out!

    Hi, i’m astounded that people such as the Hak5 crew let the forum passwords get stored in their original form!! Never heard of one-way hashing guys?

    I mean, if you were a first year at college programmer or something, maybe you might do something as stupid as that; but a show about security and hacking – should know better!

    I’ll continue to watch the show, I like it even though the past few I have skipped through parts. Keep making awesome shows, but maybe also look into your own security once in a while 😀

  • Anon since that text file got out!

    Just read that the passwords were MitM’ed, not read from a file.

    Thats a bit more forgivable than passwords stored in plaintext 🙂

  • rockstar

    once somebody has your IP and you haven’t taken precations, one can then find out your service provider and then do a little social engineering to hack your service provider and get your exact location… and if you don’t think it is possible, you will be thinking twice when darren is at your front door about to shove his acer one up your… well you get the point…

    I’ll give you $500 if you can do that. I know people like you, and darren, and none of you have the balls to do anything except hack a pc then snicker about it later. You’re skinny nerds with big brains, don’t say you’re going to do shit when you know you’ve never fought in your life.

    I worked for a cable/internet company before, and even in my position I wouldn’t be able to get an address from an IP.

  • Digitaldog

    Hak5 is Awesome; if this was my site I would have deleted the post from the idiots above. Hak5 chooses to let the comments stay where they lay and as a result we see how ignorant some of the points of view are. The show is Great you guys do the best job, keep up the good work!

  • XTA

    Im sorry for saying this, but it looks im the only one to confess that I was unable to stop staring at Shannon cleaveage the whole ep. I know she’s not just a cleaveage, it’s a person, but the camerman did a “rare” job also, cutting her forehead and “centering” in the picture her cleaveage. I’ve said it.

  • disgusted

    Whoever the hacker was fits the description of an intelligent geek who is an outright COWARD…. with no balls.

    Those of us who appreciate what the hak5 team is doing share the commonality that we have full time jobs, work hard, and appreciate the hak5 team for sharing what we love must.
    You might think that you are all that and a bag of chips, but just like Darren mentioned even Mitniks site got owned so you haven’t proved anything but that you are a geek with no appreciation. Your day will come when someone will outsmart you and catch you in the act and you will be hung out to dry.

  • CountryBoy

    Darren , Long time no see buddy… I think you all should have a show in the works especially for Rockstar 😉 I think you would have plenty of viewers on that one. And BTW Keep up the good work…

  • Z71

    Whats up, haha I’m the camera guy (brown tank top first ad read) and sorry about the camera work, kinda windy, kinda just me not having experience with the camera… it was like a regular camera not a camcorder. Not really a hacker just showing some love.

  • Juan Cubillo

    Where did you got that “Pura Vida” Fish???

    I’m from Costa Rica and that phrase was like totally invented in here! 🙂

  • http://www.hackfmi.com

    I like the helpful information you provide in your articles.
    I will bookmark your weblog and check again here regularly.
    I am quite sure I’ll learn a lot of new stuff right here!
    Best of luck for the next!

  • Cheat For Battle Camp

    Wow that wass odd. I juset wrote an really long comment but after I clicked submit my comment didn’t show up.
    Grrrr… well I’m not writing all that over again. Anyways,
    just wanted to say superb blog!

  • Trim CLeanse

    Excellent post. I was checking continuously this blog and I am impressed!
    Very useful info specially the last part 🙂 I care for such info
    much. I was looking for this certain info for a long time.
    Thank you and good luck.

  • siding repair

    But there are cert?in terms and conditions t?at you nee? to satisfy t? b?com? eligible f?r these insurances.
    ?onsider testimonials f?om your friends and colleagues
    t? engage a nicely experienced contractor locally. ?his fact alone, ?s one reason t? contact ? reliable roofing company ?hen you are consi?ering a room a?dition ?r kitchen remodel.

  • Cialle Eye Serum

    I’m truly enjoying the design and layout of your site.
    It’s a very easy on the eyes which makes it much more enjoyable
    for me to come here and visit more often. Did
    you hire out a designer to create your theme?
    Outstanding work!

  • Air Max 90

    You are so cool! I don’t think I’ve truly read through something like this before.
    So nice to find another person with a few unique thoughts on this issue.
    Seriously.. many thanks for starting this up. This web site is one thing
    that is needed on the web, someone with some originality!

  • hummingbird and flowers

    Here, you won’t need to compromise while using length of the design since there is enough space designed for really large tattoos.
    Many women find the ankle initially due to the fact that the spot can easily be shown or
    covered. They eat, they squabble with each other after which they
    eat some more.

  • Colodetox

    Hey there just wanted to give you a quick heads up.
    The words in your post seem to be running off the screen in Opera.

    I’m not sure if this is a format issue or something
    to do with internet browser compatibility but I
    figured I’d post to let you know. The style and design look great though!
    Hope you get the problem fixed soon. Many thanks

  • Randy

    First of all I want to say superb blog! I had a
    quick question which I’d like to ask if you do not mind.
    I was interested to know how you center yourself and clear your thoughts before
    writing. I’ve had a difficult time clearing my mind in getting my ideas out.
    I truly do take pleasure in writing however it
    just seems like the first 10 to 15 minutes tend to be wasted simply just trying to figure
    out how to begin. Any suggestions or tips? Appreciate it!

  • jacket with hoodie

    Howdy, I think your website could be having web browser compatibility problems.
    Whenever I look at your site in Safari, it looks fine however, when opening in I.E.,
    it’s got some overlapping issues. I simply wanted to provide you
    with a quick heads up! Other than that, great website!

  • You so if he sets of

    That idea was widely dismissed yesterday, with European Commission president
    Jose Manuel Barroso saying: ‘The indisputable fact that we’ve got two
    unions in Europe means disunion You so if he sets of this is commonly documented by your credit report along with
    a solid level of emphasis is put with this report.

  • weight loss tips and motivational sayings

    Your breakfast is the foundation for that whole day; so exactly like whatever
    else, beginning from a negative foundation, the structure are not that great.
    They are useful and comparatively safer as they don’t employ any harmful chemicals and so are created
    from natural elements. So this ends in high calorie consumption, low
    stamina, and overeating.

  • disney movies watch

    Hey there, I think your blog might be having browser compatibility issues.

    When I look at your website in Opera, it looks fine but when opening in Internet Explorer,
    it has some overlapping. I just wanted to give you a quick heads up!
    Other then that, awesome blog!

  • Trimaleana Garcinia cambogia

    Excellent items from you, man. I have be mindful your
    stuff prior to and you’re simply too magnificent.
    I really like what you have received right here, really
    like what you’re stating and the way by which you say it.
    You make it enjoyable and you continue to care for to stay it smart.
    I can not wait to read far more from you. That
    is actually a great web site.

  • Nichole

    A person essentially help to makme seriously posts I’d state.

    That is the very first tim I frequented your web page and up to now?
    I surprised with the analysis you made to make this particular post amazing.
    Excellent process!

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>