MD5 Cracker

One of the most popular ways for securely encoding passwords is using MD5. Many online services use it as well as some applications because it is an efficient way to securely store a user’s password. For example, if your password was “admin” the MD5 hash would look like “21232f297a57a5a743894a 0e4a801fc3.”

There is no easy way to take an MD5 hash and have it reversed back to the original text. Hardcore crackers, however, often have databases that consume several gigabytes of pre-calculated MD5 hashes. By that I mean they’ll go through the dictionary and calculate the MD5 hash for all known words, and then move on to common password combinations. That way when they get their hands on a database filled with MD5 hashes they can begin searching to see if any of the users had used one of common words.

Pieter over in the forum posted a big eye opener for anyone that still uses common passwords. He pointed out this tool where a user is able to enter an MD5 hash in the text box. It will then scan what appears to be a rather extensive database to see if the MD5 hash corresponds to any of the known entries it has stored. Here are some of the results from the test Pieter did with it:

  • 21232f297a57a5a743894a0e4a801fc3 – CRACKED (admin)
  • 5f4dcc3b5aa765d61d8327deb882cf99 – CRACKED (password)
  • 33c5d4954da881814420f3ba39772644 – CRACKED (crackme)
  • ec79d4bed810ed64267d169b0d37373e – CRACKED (8612)
  • 61ebd641ffb9b13f2b3163677ef58b0a – CRACKED (2w9)
  • 2eaa8683175fa19f2710707e793b1f04 – FAILED (2w9ss)
  • 68dc6cbea6ddad512bc670c0df5c0804 – CRACKED (23984)
  • 22604bba610abedf926b74646008896f – FAILED (613593)
  • 031e174662676c05db4e019eaaa4de3d – FAILED (65151611)
  • e425adc17b1e4feed1dc295b82d16cbd – FAILED (crackme123)
  • 80e48c2df0e639b36cf2a2a75cbd8fdb – FAILED (imahacker)

As you can see, the more complicated a password is the more likely it won’t be in the database. Overtime the database will continue to grow, and the first thing that it will index is all passwords with lowercase letters and numbers. For that reason I urge everyone to re-evaluate the strength of their passwords. You should consider mixing upper and lower case, as well as using both numbers and symbols. It will take awhile to get used to a new password, but it’s worth the added security.