Slashdot Mirror


Online MD5 Cracking Service

toast writes "Did you forget your password but have your /etc/shadow? If so, this site is for you. Submit a MD5 hash and within a few days you'll have an answer. Of course, once Slashdot has its way, you'll have to wait a few years for an answer.. At least now I'll always know what f3789b3c1be47758203f9e8a4d8c6a2a means.."

7 of 401 comments (clear)

  1. Dictionary attack by Anonymous Coward · · Score: 5, Interesting

    This is why we use salted, iterated hashing.

    1. Re:Dictionary attack by kasperd · · Score: 3, Interesting

      which is why this website needs to have a distributed client

      How much would that help? Presumably everybody submiting a password to have cracked have a different salt, so how much can they help each other? Of course if you want to find the reverse image of a hash value by brute force, it would help to have a lot of machines working on it, and if everybody had a list of all the hashes being searched for, they could help each other. But brute forcing MD5 this way is something that wouldn't be realistic now, maybe in a 100 years we will have enough computing power to do that. So some shortcuts must be made, which is why they allow only short passwords using a restricted set of chars. This "service" will only find the password from a small set with 42 bits of entropy, the salt alone have 48 bits of entropy. Probably you could make similar shortcuts even given a salt, but they would have to be aimed at one particular salt.

      --

      Do you care about the security of your wireless mouse?
  2. Question by ArchAngel21x · · Score: 4, Interesting

    What is /etc/shadow?

  3. Re:Umm.. by cgenman · · Score: 3, Interesting

    Anyone else wonder if this is just a clever way to steal passwords?

  4. Re:MD5 vs SHA-1 by kasperd · · Score: 4, Interesting

    Hence an executable file with a specific MD5 value either is the original or garbage that won't run.

    Don't count on it. When you create an executable it is easy to put 17 bytes somewhere, that is really not used for anything. After this has been done just start searching for a combination of those 17 bytes that produce the expected hash. It is very likely that more than one choice will exist. Of course this would take too much time.

    It is easier to produce a collision. Create two executables, and instead of the 17 bytes from before just leave 9 unused bytes in each file. Then try all choices for each of the two files, and sort the results to find your collision. 2*256^9 is way smaller than 256^17. Of course even this is still infeasible. But it will be possible in a few (50) years. Using SHA1 is a bit better, but it will only take about 100000 times as much CPU time to find a SHA1 collision as an MD5 collision. Which means the computer to do it will be available about 25 years later than the one to find an MD5 collision (assuming More's law still holds).

    --

    Do you care about the security of your wireless mouse?
  5. It gives one pause... by chill · · Score: 4, Interesting

    Well, 36 ^ 8 = 2,821,109,907,456. How long does it take to compute an MD5 Sum?

    More to the point, consider "cracking" passwords in this manner:

    The NSA has been reported to have ACRES of computer space; their own chip fab and some of the fastest computers in the world.

    What if, decades ago, they just dedicated banks of systems to cracking all possible passwords hashed with crypt. Then, a few years later, did the same thing with MD5, SHA-1, and Blowfish -- as each became available.

    They store all this stuff in a table, and now getting passwords to most systems is nothing more than a quick table lookup.

    Yes, I know the math. However, add in a bit of psychology and statistics.

    Most people don't use characters you can't type on a keyboard for a password. VERY few do ALT-nnn or something like that. Most are going to be puire alpha, or alphanumeric. Some will contain special characters.

    Meaning, you don't have to exhaust the entire 8-bit character space to get the vast majority of what you're looking for.

    Is it really a surprise that something like this is starting to be possible on consumer systems?

    Heck, imagine a beowulf cluster dedicated to this...

    --
    Learning HOW to think is more important than learning WHAT to think.
  6. Windows users not left out! by pegr · · Score: 5, Interesting

    Same thing for windows users (only different) is here. Submit an LM or NT hash, get the password emailed back to you...