Can IPFS crack passwords (i.e. help an attacker guess a password of which only a hash is known)?

[Mithgol]

(inspired by Greg Slepak)

Yes: if a known hash is a multihash and if a text file containing the password (and only the password) was ever published, then a mere IPFS lookup will return the password in plain text form.

Even if the login's owner have not ever published the password, such file may eventually be published by someone else.

Update: no, the hash is actually more complex; see below.

[jbenet]

Actually No, the plaintext file is wrapped with metadata so the hash changes.

And this is silly:

 Even if the login's owner have not ever published the password, such file may eventually be published by someone else.

If someone deliberately puts the pwd out like that, they could just as well tweet it out and tag you personally.

Maybe ask first before asserting one way or another?

[Mithgol]

the plaintext file is wrapped with metadata so the hash changes

Sorry, I've misunderstood the dependence of that hash from the file's contents.

I've edited my original (wrong) answer and added a strikethrough to indicate the misunderstanding.

By the way, what are the elements of metadata that affect the hash?

For example, does the hash change if a file is renamed?

[Mithgol]

…I've just ipfs add two equal files and got two equal hashes, so the metadata must be something else, not the name.

[whyrusleeping]

if you do

echo "hunter2" | ipfs add

you will not get the hash of hunter2, you will get the hash of the merkledag protobuf containing the data hunter2 (plus some unixfs framing)

[Mithgol]

Ah, I see. I get it. It's not even a hash of that file's content. It's a hash of an object that has links and blocks and whatnot.

[jbenet]

yep, thanks for editing 😄 👍

[madavieb]

This issue has been moved to https://discuss.ipfs.io/t/can-ipfs-crack-passwords-i-e-help-an-attacker-guess-a-password-of-which-only-a-hash-is-known/300.