Full Disclosure mailing list archives
Re: MD5 hash cracking service
From: "Kurt Seifried" <listuser () seifried org>
Date: Fri, 2 Jul 2004 15:15:24 -0700
Minor correction: MD5 does suffer from potential collisions, that is two different inputs can have the same MD5 output. Since the majority of systems only store the MD5 and nothing else (like say what the first letter was, or a SHA hash) if you find an input (not necessarily the "correct" one) that results in the same MD5 hash the system will accept it as legitimate since the hash values match. The chances of such a collision occuring, against arbitrary data such as "this_is_my_password" are rare, especially when you consider the limitations on passwords (length, ascii characters, etc.). The beauty of the rainbow tables is once you've "cracked" a password (i.e. taken a value, MD5'ed it, stored it in the DB) your only further requirement is storage (which is dirt cheap now) and search costs (which is pretty cheap since you have it all nicely done up in tables). Kurt Seifried, kurt () seifried org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- MD5 hash cracking service md5er (Jul 01)
- Re: MD5 hash cracking service Roman Medina (Jul 01)
- Re: MD5 hash cracking service Gregory A. Gilliss (Jul 01)
- Re: MD5 hash cracking service Dave King (Jul 02)
- Re: MD5 hash cracking service Kurt Seifried (Jul 02)
- Re: MD5 hash cracking service Troy (Jul 02)
- Re: MD5 hash cracking service Dave King (Jul 02)