Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection)

["Serban Ghita" <serban () verasys ro>]

i don't think 12 milions is a big number especially when the database 
contains only a hash (32 chars) and plain text passwd (eg max 10-12 chars).
if you run a simple bruteforce text + md5(text) function on a sql database 
on an average computer and insert the results, you get in a couple of hours 
over half a bilion results. but it's still no big deal because you only have 
passwords up to maybe 6-7 characters and with a simple charset of 
alphanumeric [0-9][a-z] (whithout uppercase), and without special characters 
including space.

as a paragraph here: i tested to see what is more efficient (besides the 
rainbow crack) method to find a hash, and tried both SQL like databases and 
flat text. Flat text records require less space, but have high search 
times/results.

my oppinions were based on real tests, if you want i can publish more 
details if you are interested.

Serban Gh. Ghita
coordonator
Departament Web
VERASYS Intl.
serban () verasys ro
zamolxe () php net
http://web.verasys.ro
phone: +40-21-201.67.62
cell:     +40-788.28.29.10

----- Original Message ----- 
From: "Jean-Jacques Halans" <halans () gmail com>
To: "Gary Gwin" <ggwin () cafesoft com>
Cc: <webappsec () securityfocus com>
Sent: Monday, August 22, 2005 11:57 AM
Subject: Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual 
Keyboard Protection)


Still on the topic of MD5 hashes...,
here's an online (multilingual) database with md5 hashes,
containing "12,289,330 unique entries".
http://gdataonline.com/

--
Halans