Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Online MD5 Hash Database

Posted by ScuttleMonkey on from the handy-tools-that-want-to-get-slashdotted dept.

Gravix writes with a shameless plug for his new site "Sporting over 12 million entries, project GDataOnline is one of the largest non-RainbowTable based MD5 crackers on the internet. The database spans over 7 languages, 35 topics, and contains common mutations to words that include numbers and capitalization. Average crack time for 5 hashes: .04 seconds. No more waiting weeks for your results!" Shameless plug aside, the site still seems worth a closer look.

10 of 295 comments (clear)

  1. So what? by kasperd · · Score: 5, Informative

    Any system using plain md5 to hash passwords is broken anyway. Include a salt - and any database over hashes will become useless. Besides if people choose good passwords, they are most likely not in the database. That is already two reasons why people should be protected, do we need anymore?

    For many other uses of cryptographic hashes the input is much more than a single word, and typically you don't really worry about keeping the input a secret anyway.

    --

    Do you care about the security of your wireless mouse?
  2. Re:Doesn't seem very useful by VeryProfessional · · Score: 4, Informative

    You wouldn't by any chance be using the md5sum command line utility and typing a newline after the word? I just tried my own name, which turned out to be in the database. Could you give just a few examples of the hash values you submitted, and the word you expected it to return?

    Oops, right you are, that's exactly what I was doing... tried the same words with echo -n and they were in fact in the database.

    /me wipes egg off face

  3. Re:Downloadable database form? by Janitha · · Score: 5, Informative

    You can create it, actually if you asked that a few months ago I had 100GB worth of md5 0-8 alpha-ALPHA-num every combination for sale (which I later made free if you sent me DVD's) but I deleted since no one was much interested and it was much needed space for other stuff. I used rainbowcrack (http://www.antsight.com/zsl/rainbowcrack) for some reason the linux client seems to work much faster than the windows one (although it made no sense to why)

  4. MD5 is nice but... by nmb3000 · · Score: 5, Informative

    What would be really nice is to see this grow past a simple MD5 database. If you're going to get traffic, you really should get an NTLM database up and start populating it as soon as possible.

    A few other places have these, in differing amounts. Rainbowcrack has tons of them, but require you to submit some before being allowed to query the system. I did submit a few NTLM hash tables, but it took the better part of a week to get my query back (it's supposed to be a lot faster than that).

    There's also Ophcrack which uses tables similar to rainbow tables. It has a web interface to query NTLM hashes for simple passwords.

    With these pre-computed hash tables, basic password security is starting to take a hit and it's becoming more and more worthwhile to use a simple but long password rather than a short and complex one. If you're on Windows, it's also VERY worthwhile to read about forcing Windows to store only the NTLM hash and drop the LM hash. It breaks old compatibility with Win 9x but is very worth it if you don't need that. This helps against precomputed attackes but has an even bigger impact agains brute-force attacks.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
  5. Re:Linux by spitefulcrow · · Score: 4, Informative

    Any modern Linux distribution worth its salt (pardon the pun) uses at least an MD5-based salted password storage system. Wikipedia will tell you more about salting. What it boils down to is that using enough bits of salt can make it infeasible for Joe Hacker to store a database of passwords, salts, and their hashed values that would encompass all combinations and allow dictionary attacks against MD5-protected passwords. If your Linux system doesn't use a salted hash to store passwords in /etc/shadow, you may have an issue if untrusted users have access to your system. Then again, if untrusted users have enough access to read /etc/shadow, you have a bigger problem than someone cracking your normal user passwords.

    --
    Sorry, my karma just ran over your dogma.
  6. For those that don't know by Sycraft-fu · · Score: 5, Informative

    To call LM weak would be an understatement. LM takes passwords up to 14 charackets in length, fine you think until you realise that the way tey did it is to hash 2 7-character strings. This means for any password, you have to crack a max of 7 characters. Oh, and did I meantion it's case insensitive?

    There are existing ranbowtables covering basically the entire LM space but, really, you don't need it. A fast dual core chip will crack it in less than a day.

    The parent is correct in that in all cases you can you should set Windows to only use NTLM, or better yet NTLMv2. We are (finally) getting to do that at work as we purged the last NT and 98 systems from the domain.

  7. Re:Downloadable database form? by Janitha · · Score: 4, Informative

    With multiple programs working on seperate parts (assuming you broke your whole project into many tables) it can be done pretty fast. Specially if you have access to many computers. The rainbowcrack will automatically pick up and resume work if interupted in the middle, and skips over if the asked table is already created, so its perfect for the job of spanning across multiple machines.

  8. Trojan alert by Anonymous Coward · · Score: 5, Informative

    Visiting this site (md5 one) resulted in pop-ups which were loaded with the StartPage Trojan which fortunately F-Secure spotted.

  9. Re:You might expect that... by baadger · · Score: 4, Informative

    This is lightly salted.

    "slashdot.org<my password>" will render any generic databases like GData useless for Slashdot password searching. It means someone has to build up a Slashdot specific database using a dictionary first. That is all a salt is really for, to inconvenience a dictionary attack.

    "slashdot.orgbaadger<my password>" (<site><username><password>) would be better as it means the cracker has to build a database specific to slashdot and my username.

    So yes these passwords are salted, using the domain just saves the plugin having to save random salts somewhere.

  10. Re:Downloadable database form? by Thundersnatch · · Score: 5, Informative

    It's called a password "salt", and many applications use them. It's much better to use a large random value stored in the clear than the username.

    Microsoft, of course, is screwed by the need to provide backward compatibilitty, and does not salt the (MD4-based) NTLMv2 hash stored on Windows systems. They encrypt the whole hash database instead to prevent offline attacks, but this is ineffective as the decryption key is also "hidden" on the system's disk unless you want requrie a diskette/CD/floppy at boot that contains the decryption "syskey".