Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online MD5 Cracking Service

Posted by timothy on from the computable-truth-is-out-there dept.

toast writes "Did you forget your password but have your /etc/shadow? If so, this site is for you. Submit a MD5 hash and within a few days you'll have an answer. Of course, once Slashdot has its way, you'll have to wait a few years for an answer.. At least now I'll always know what f3789b3c1be47758203f9e8a4d8c6a2a means.."

8 of 401 comments (clear)

  1. Hmmmmmm by skynetos · · Score: 5, Insightful

    hmmmm I would never submit any shadow file, who knows what the admin of the site does with the results! Nick

  2. Um....couldn't you just change it yourself? by ScottGant · · Score: 4, Insightful

    If you have physical access to your computer...which you should...then of course you could just do it all by hand by booting off of a CD. Why go through all this, unless it's to do something you're not suppose to be doing.

    I don't know, what would this be usefull for? Remote admin tasks perhaps?

    --

    "Music is everybody's possession. It's only publishers who think that people own it." - John Lennon.
  3. Hmm by Have+Blue · · Score: 3, Insightful

    This seems pretty irresponsible... There's not even a disclaimer or click-through license that tells you to submit only a shadow file you are authorized to manipulate. People who have legitimately lost their passwords are going to be a tiny, tiny minority of users of this site.

    1. Re:Hmm by GodEater · · Score: 5, Insightful

      Especially since the only people who should have access to /etc/shadow should be the people with root on the box.

      Joe bloggs on his shell account isn't going to be able to get it is he ?

      --

      Gentlemen, start your penguins

  4. 'scuse me? by NitsujTPU · · Score: 3, Insightful

    While I'm *cough* sure that this site has good intentions, the best thing to do if you lose your password is

    1) Get the admin to change it for you.

    or, if you've lost the root password

    2) Boot through some external method (generally from CD or network) and change your password that way.

    Admins should keep the shadow file safe from malicious access, but this is giving it to a 3rd party... bad juju.

  5. . . . not just you . . . by erikharrison · · Score: 3, Insightful
    At least now I'll always know what f3789b3c1be47758203f9e8a4d8c6a2a means

    A quick check of hashes pending results shows that not only will you know, but also the 52 dronelike /.ers who submitted the same hash.


    Tip: Change your password.

  6. Re:Dictionary attack by kasperd · · Score: 3, Insightful

    This is why we use salted, iterated hashing.

    I never really looked into exactly how crypt works, so I can't say for sure if it use iterated hashing. But in the case of MD5 passwords, it does indeed use a 48 bit salt (8 chars base 64 encoded). So mentioning /etc/shadow doesn't really make any sense. I still find it a bit worrying that they can crack a password with about 42 bits of entropy. A good 8 character password will have about 48 bits of entropy, which means it would take only 64 times as long to crack as what they can do now (a litle more if the hashing is in fact iterated). But the salt does mean they couldn't be cracking more than one password at a time. (I'm glad my root password is 16 chars long).

    --

    Do you care about the security of your wireless mouse?
  7. Re:Even worse... by schon · · Score: 4, Insightful

    If it's a production server that you can't afford to even reboot, maybe you shouldn't be giving the root password to some random website

    Yes, because knowing the password means that you automatically know the IP address too, right?

    Personally, I think it would be better if they released an app that does this.

    Yeah, a 47GB app. That'd be a snap to download.

    They're using RainbowCrack - the app is no secret.. it's the data tables that make this useful.