Slashdot Mirror
New Online MD5 Hash Database
Gravix writes with a shameless plug for his new site "Sporting over 12 million entries, project GDataOnline is one of the largest non-RainbowTable based MD5 crackers on the internet. The database spans over 7 languages, 35 topics, and contains common mutations to words that include numbers and capitalization. Average crack time for 5 hashes: .04 seconds. No more waiting weeks for your results!" Shameless plug aside, the site still seems worth a closer look.
Any system using plain md5 to hash passwords is broken anyway. Include a salt - and any database over hashes will become useless. Besides if people choose good passwords, they are most likely not in the database. That is already two reasons why people should be protected, do we need anymore?
For many other uses of cryptographic hashes the input is much more than a single word, and typically you don't really worry about keeping the input a secret anyway.
Do you care about the security of your wireless mouse?
You can create it, actually if you asked that a few months ago I had 100GB worth of md5 0-8 alpha-ALPHA-num every combination for sale (which I later made free if you sent me DVD's) but I deleted since no one was much interested and it was much needed space for other stuff. I used rainbowcrack (http://www.antsight.com/zsl/rainbowcrack) for some reason the linux client seems to work much faster than the windows one (although it made no sense to why)
What would be really nice is to see this grow past a simple MD5 database. If you're going to get traffic, you really should get an NTLM database up and start populating it as soon as possible.
A few other places have these, in differing amounts. Rainbowcrack has tons of them, but require you to submit some before being allowed to query the system. I did submit a few NTLM hash tables, but it took the better part of a week to get my query back (it's supposed to be a lot faster than that).
There's also Ophcrack which uses tables similar to rainbow tables. It has a web interface to query NTLM hashes for simple passwords.
With these pre-computed hash tables, basic password security is starting to take a hit and it's becoming more and more worthwhile to use a simple but long password rather than a short and complex one. If you're on Windows, it's also VERY worthwhile to read about forcing Windows to store only the NTLM hash and drop the LM hash. It breaks old compatibility with Win 9x but is very worth it if you don't need that. This helps against precomputed attackes but has an even bigger impact agains brute-force attacks.
"What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
/)
To call LM weak would be an understatement. LM takes passwords up to 14 charackets in length, fine you think until you realise that the way tey did it is to hash 2 7-character strings. This means for any password, you have to crack a max of 7 characters. Oh, and did I meantion it's case insensitive?
There are existing ranbowtables covering basically the entire LM space but, really, you don't need it. A fast dual core chip will crack it in less than a day.
The parent is correct in that in all cases you can you should set Windows to only use NTLM, or better yet NTLMv2. We are (finally) getting to do that at work as we purged the last NT and 98 systems from the domain.
Visiting this site (md5 one) resulted in pop-ups which were loaded with the StartPage Trojan which fortunately F-Secure spotted.
It's called a password "salt", and many applications use them. It's much better to use a large random value stored in the clear than the username.
Microsoft, of course, is screwed by the need to provide backward compatibilitty, and does not salt the (MD4-based) NTLMv2 hash stored on Windows systems. They encrypt the whole hash database instead to prevent offline attacks, but this is ineffective as the decryption key is also "hidden" on the system's disk unless you want requrie a diskette/CD/floppy at boot that contains the decryption "syskey".