New Online MD5 Hash Database

Gravix writes with a shameless plug for his new site "Sporting over 12 million entries, project GDataOnline is one of the largest non-RainbowTable based MD5 crackers on the internet. The database spans over 7 languages, 35 topics, and contains common mutations to words that include numbers and capitalization. Average crack time for 5 hashes: .04 seconds. No more waiting weeks for your results!" Shameless plug aside, the site still seems worth a closer look.

Hmmm...

[mg2]

Seems like using salted MD5 hashes would render this kind of stuff totally useless.

...You all use salted md5 hashing in your applications, don't you?

Doesn't seem very useful

[VeryProfessional]

Apart from the fact that this site is somewhat morally questionable, it doesn't seem to work very well. I inserted a number of hashes for common first names and dictionary words, and none of them returned a hit. If the database doesn't even cover common stuff such as this, what is it really good for? Really, 12 million hashes out of a space of 2^128 is truly miniscule.

Re:Doesn't seem very useful

[kasperd]

I inserted a number of hashes for common first names and dictionary words, and none of them returned a hit.

You wouldn't by any chance be using the md5sum command line utility and typing a newline after the word? I just tried my own name, which turned out to be in the database. Could you give just a few examples of the hash values you submitted, and the word you expected it to return?

wow

They must be smoking some dope ass crack if they think they have lots of common permutations of dictionary words covered. Try fcaf8cb5751b2995c95f6c8021584eff (h3ll0) or 50c20343d45744b1aa36ace8c04c700a (th3r3). Is there anything simpler in terms of commons words with obvious numeric substitutions that it actually gets?

Re:MD5 is nice but...

[aicrules]

GREAT! So now all freaking IT security departments are going to up the minimum password length to like 64 in ADDITION to having to change it every other day, not being able to use the last 1000 passwords you've ever used, and requiring alternating caps, numbers, and punctuation.

Sure, I'm exaggerating a little, but the amount of time I have to spend on password maintenance is nearly making a line item on my time sheet.

Pointless.

[Randseed]

I generated a PHP script that does password managing a couple of weeks ago, and even I used a SALT in the process. I suppose that this is useful if you come across a site so horribly broken as to not use a SALT, or if you know the SALT ahead of time somehow. (Not hard to do the latter, really.)

All in all, this is another ho-hum kind of story.

Re:Downloadable database form?

[bobbozzo]

One of the vendors at DefCon this year was selling them.

Try googling for Rainbow Tables.

Re:oh, i get it!

[isorox]

8acb583ce572bbdd4d8cd3375fba65f9

Re:Linux

[rhizome]

More often then not people are dumb and easily scared. Every time you do something they don't expect you to do, they might treat you as a criminal, no matter what your intentions.

This is why it's not a good idea to humiliate people who have more power than you if you have something to lose.

Re:Downloadable database form?

[pAnkRat]

Just out of interrest, why would you store the password for a user as (pseudo code follows)

md5(pw);

and not

md5(username + pw);

Salting the the hash with a variable (here: username) helps preventing wide scale probing with rainbow lists in the event the DB gets "stolen".

Re:Linux

[indifferent+children]

Booting the machine in Knoppix requires that the 'bad guy' have physical access to the machine. Even if physical access cannot be well restricted, you can turn-off 'boot from CDROM' in the bios, and password-protect the bios. Now the 'bad guy' has to open the machine, find the motherboard-type, find out which jumper clears the bios password(s), etc. Most machines can also be padlocked shut, so now the 'bad guy' needs to bring a Dremel or such.