Comments on: Caution: Online MD5 Cracker Tool

By: balaji

balaji — Sun, 27 Apr 2008 05:24:34 +0000

if i have hash the wat is password of this

b041837512536fcac661a3cf3c69eef2

By: Another Reason to Choose a Safe, Secure Password

Another Reason to Choose a Safe, Secure Password — Mon, 17 Dec 2007 15:32:24 +0000

[...] is the latest reason why you should not use easy-to-remember passwords: this MD5 cracking tool (via Cybernet News) is able to convert many encrypted passwords back into their original, plain text form. The tool is [...]

By: Mr./Ms. Days (MMDays) - ??, ??, ??, ?? » Blog Archive » ????????

Mr./Ms. Days (MMDays) - ??, ??, ??, ?? » Blog Archive » ???????? — Mon, 17 Dec 2007 07:37:03 +0000

[...] ??? Web2.0 ?????????????????????nevercool ?????????????????? MD5 ????????????????????????????? CyberNet ???????????????????????????????????????? Google ???????????????????????????????????? MD5 ????????????????????????????????????????????????????????????????????????????????????????????????????????????????? [...]

By: leland

leland — Sun, 16 Dec 2007 05:07:17 +0000

If you follow the best practices recommended today you would have a password that is a phrase that includes upper, lower case along with numbers and punctuation. On some sites I needed a 26 character password before it thought I was adequately protected. But then considering the speed at which computers run now days and how smart the bad guys are you can never be too safe. Thanks for the interesting article.

By: f0dder

f0dder — Sat, 15 Dec 2007 20:23:48 +0000

…and now I’ll just go shoot myself and write “never post anything on teh intarweb when you’ve just woken up” a 100 times on my blackboard. Yes, obviously I just entered that fancy string on the site, and it calculated the md5sum for me - duh. Not the other way around.

So I’ll return to my previous position of “is this really using rainbow tables?”, and have a bucket of coffee.

By: f0dder

f0dder — Sat, 15 Dec 2007 20:15:33 +0000

Okay, actually played a bit with the website now and tried a few different passwords, and considering that it handles a string like “Åu*e½/§|t[a-s’ord^¨+}++98:0.2_83″ - well, I’m convinced it does use rainbow tables. And yes, I did double-check the md5 value returned, and it is correct.

I do wonder why it failed on the very simple passwords as those mentioned in the blog posting, though?

By: f0dder

f0dder — Sat, 15 Dec 2007 19:49:30 +0000

The “about” page on the md5() site doesn’t say that it uses rainbow tables, just that it has “a database of md5 hashes”. If it used rainbow tables, I can’t see why it would be able to crack an 8-letter password (”password”), but fail on a 5-letter password (”2w9ss”), when it obviously handles the character set (it does handle the (very short) “2w9″). But I might have misunderstood how rainbow tables work
.

Also, forget “A 6 letter hash containing of A-Z, a-z and 0-9 will produce an extra 56,800,235,584 permutations.”, a UNIX salt only does 4096 permutation (which is a lot of extra space, but within the realm of doable) - again, unless I’ve misunderstood something.

By: Ryan

Ryan — Sat, 15 Dec 2007 19:07:15 +0000

Thanks to everyone for the information, and yes this database is effectively a rainbow table. I thought about going into more details as to how this all works, but I wanted to keep it simple for people who don’t even know what MD5 is yet.

By: Lewis

Lewis — Sat, 15 Dec 2007 16:17:22 +0000

meh I meant rainbow table.

By: Lewis

Lewis — Sat, 15 Dec 2007 16:16:47 +0000

Oh and this “database of MD5 hashes” is effectively a hash table.

By: Lewis

Lewis — Sat, 15 Dec 2007 16:14:38 +0000

A 6 letter hash containing of A-Z, a-z and 0-9 will produce an extra 56,800,235,584 permutations. Which I think is a bit more than “a bit”. Not to mention they then have to extract the password from the result.

By: f0dder

f0dder — Sat, 15 Dec 2007 13:30:37 +0000

Heh, “a database of MD5 hashes”.

The site has a nice simple layout and the idea is cute enough, but why would you do a simple database when you can use Raibow Tables? (http://en.wikipedia.org/wiki/Rainbow_tables) - can be adapted for salt as well, although it does increase the size of the rainbow tables “a bit”.

By: Lewis

Lewis — Sat, 15 Dec 2007 12:31:07 +0000

Any developer worth anything would always use a salt when hashing passwords. What does this mean? A salt is basically a random string which is appended to the password before it’s hashed. Then when checking you simply append the salt to the entered password and see if it matches their MD5 hash. This renders rainbow attacks completely useless, as the actualy MD5 would be of something like “passwordKj5g6d” - which obviously wouldn’t be likely to be in a rainbow table. Even a static hash is often good enough, as long as it’s still quite random.

Also don’t forget these MD5s will be behind a password protected database, so you’re pretty safe unless you’re using really unsafe websites in which I’d hope you don’t use your actual password.

By: CoryC

CoryC — Sat, 15 Dec 2007 02:59:51 +0000

Keith Dsouza wrote:

This can definitely get serious as many people use simple password. MD5 is the safest way to encrypt passwords nevertheless using common words for passwords is definitely not the way to go.

I definitely would say that you should use numbers, characters as well as both upper and lower case combinations in your passwords.

Just a note, MD5 is not encryption. It’s a hash algorithm.

By: Keith Dsouza

Keith Dsouza — Sat, 15 Dec 2007 01:45:58 +0000

This can definitely get serious as many people use simple password. MD5 is the safest way to encrypt passwords nevertheless using common words for passwords is definitely not the way to go.

I definitely would say that you should use numbers, characters as well as both upper and lower case combinations in your passwords.

By: Veign

Veign — Fri, 14 Dec 2007 23:59:33 +0000

Just watch out and don’t enter any of your secure passwords as they are learning from you what enter. Be warned…