Slashdot Mirror
Online MD5 Cracking Service
toast writes "Did you forget your password but have your /etc/shadow? If so, this site is for you. Submit a MD5 hash and within a few days you'll have an answer. Of course, once Slashdot has its way, you'll have to wait a few years for an answer.. At least now I'll always know what f3789b3c1be47758203f9e8a4d8c6a2a means.."
hmmmm I would never submit any shadow file, who knows what the admin of the site does with the results! Nick
If you have physical access to your computer...which you should...then of course you could just do it all by hand by booting off of a CD. Why go through all this, unless it's to do something you're not suppose to be doing.
I don't know, what would this be usefull for? Remote admin tasks perhaps?
"Music is everybody's possession. It's only publishers who think that people own it." - John Lennon.
This seems pretty irresponsible... There's not even a disclaimer or click-through license that tells you to submit only a shadow file you are authorized to manipulate. People who have legitimately lost their passwords are going to be a tiny, tiny minority of users of this site.
You must be new here.
While I'm *cough* sure that this site has good intentions, the best thing to do if you lose your password is
1) Get the admin to change it for you.
or, if you've lost the root password
2) Boot through some external method (generally from CD or network) and change your password that way.
Admins should keep the shadow file safe from malicious access, but this is giving it to a 3rd party... bad juju.
A quick check of hashes pending results shows that not only will you know, but also the 52 dronelike /.ers who submitted the same hash.
Tip: Change your password.
>At best, they could come up with a combination that produces the same hash as the one given to them, but that does not mean it is the right answer.
But then why wouldn't that be good enough?
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
> Is there a reason that they didn't add capital letters into the algorithm?
Sure there is: lack of computing power.
26 letters and 10 digits * 8 characters = 2.8*10^12 combinations
52 letters and 10 digits * 8 characters = 2.2*10^14 combinations
Adding the capital letters would make the problem approximately 100 times more difficult to brute force.
This is why we use salted, iterated hashing.
/etc/shadow doesn't really make any sense. I still find it a bit worrying that they can crack a password with about 42 bits of entropy. A good 8 character password will have about 48 bits of entropy, which means it would take only 64 times as long to crack as what they can do now (a litle more if the hashing is in fact iterated). But the salt does mean they couldn't be cracking more than one password at a time. (I'm glad my root password is 16 chars long).
I never really looked into exactly how crypt works, so I can't say for sure if it use iterated hashing. But in the case of MD5 passwords, it does indeed use a 48 bit salt (8 chars base 64 encoded). So mentioning
Do you care about the security of your wireless mouse?
which is why this website needs to have a distributed client
members are seeing something, your seeing an ad
If your password is under 8 characters and contains only lowercase letters and digits, you deserve to be cracked. If you use a proper password, then you have nothing to fear from this "service"
Why am I so vulnerable if I don't have > 8 character passwords? Only root can look at
AccountKiller
Sorry, but this is nothing more than a "Oh cool." to me. It has no value to me as an admin. I lost my root pw, or my user passwords? I have physical access to the machine, I just reboot single user, and boom, I'm in.
I purchase old computers all the time (where old is relative of course) often with passworded logins, or -always- the owner forgot the root password. Every OS I've come across with has had a way to get past the password protection -IF YOU HAVE PHYSICAL ACCESS-
Now if you lose your login on your unix machine that you have remote access to only, contact whoever hosts it, have -them- break it open for you. If they don't know how... question their admin-fu.
A short range MD5 cracker. Neat tho, but nothing more than brute force no?
If it's a production server that you can't afford to even reboot, maybe you shouldn't be giving the root password to some random website
Yes, because knowing the password means that you automatically know the IP address too, right?
Personally, I think it would be better if they released an app that does this.
Yeah, a 47GB app. That'd be a snap to download.
They're using RainbowCrack - the app is no secret.. it's the data tables that make this useful.
They store all this stuff in a table, and now getting passwords to most systems is nothing more than a quick table lookup.
/. article about this new table lookup method some time back.
As should be obvious, a table lookup through a few terabytes of data isn't all that quick.
That's what this is all about. Rainbow crack, which is what the original posts site is using, is a faster way to look things up in tables. So when they say it works for anything a-z,0-9, then they mean that they have precalculated all those passwords (up to 8 chars) and what you are in fact doing by submitting this request is essentially a table lookup over 47 gigs of data.
The point is that efficent table searching for this sort of thing is relatively new. There was a
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
So your Sup3r-|3e7,P4S5V0rT' may still be cracked because not only doesbut so doesI don't know the actual likelihood of collisions, though. There's the real question.
On the bright side, you may be able to find a less troublesome-to-type version of your not-deserving-of-crackage, proper password.