Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Online MD5 Hash Database

Posted by ScuttleMonkey on from the handy-tools-that-want-to-get-slashdotted dept.

Gravix writes with a shameless plug for his new site "Sporting over 12 million entries, project GDataOnline is one of the largest non-RainbowTable based MD5 crackers on the internet. The database spans over 7 languages, 35 topics, and contains common mutations to words that include numbers and capitalization. Average crack time for 5 hashes: .04 seconds. No more waiting weeks for your results!" Shameless plug aside, the site still seems worth a closer look.

16 of 295 comments (clear)

  1. quick by Lehk228 · · Score: 5, Funny

    Quick! everybody go test your password security by sending it to a random web site

    --
    Snowden and Manning are heroes.
  2. oh, i get it! by Anonymous Coward · · Score: 5, Funny

    6436a55a08760c5b94dbed4476f83fcd

    1. Re:oh, i get it! by Matilda+the+Hun · · Score: 5, Funny

      8acb583ce572bbdd4d8cd3375fba65f9
      --
      This post may be the personal opinion of me and noone else, but it's more likely to be random characters.

      Someone mod his sig +5 Insightful.

      --
      Tluin natha Linux xxizzuss uriu olt bwael mon'tun.
  3. Downloadable database form? by 5n3ak3rp1mp · · Score: 5, Interesting

    Does anyone know how to get a hold of a database such as this? As part of our IT auditing I'd like to be able to do a join of our md5-encoded user passwords (no salts or anything) with this to see whose password is insecure... yeah, that's it...

    1. Re:Downloadable database form? by Janitha · · Score: 5, Informative

      You can create it, actually if you asked that a few months ago I had 100GB worth of md5 0-8 alpha-ALPHA-num every combination for sale (which I later made free if you sent me DVD's) but I deleted since no one was much interested and it was much needed space for other stuff. I used rainbowcrack (http://www.antsight.com/zsl/rainbowcrack) for some reason the linux client seems to work much faster than the windows one (although it made no sense to why)

    2. Re:Downloadable database form? by Thundersnatch · · Score: 5, Informative

      It's called a password "salt", and many applications use them. It's much better to use a large random value stored in the clear than the username.

      Microsoft, of course, is screwed by the need to provide backward compatibilitty, and does not salt the (MD4-based) NTLMv2 hash stored on Windows systems. They encrypt the whole hash database instead to prevent offline attacks, but this is ineffective as the decryption key is also "hidden" on the system's disk unless you want requrie a diskette/CD/floppy at boot that contains the decryption "syskey".

  4. Hmmm... by mg2 · · Score: 5, Insightful
    Seems like using salted MD5 hashes would render this kind of stuff totally useless.

    ...You all use salted md5 hashing in your applications, don't you?

  5. Doesn't seem very useful by VeryProfessional · · Score: 5, Insightful

    Apart from the fact that this site is somewhat morally questionable, it doesn't seem to work very well. I inserted a number of hashes for common first names and dictionary words, and none of them returned a hit. If the database doesn't even cover common stuff such as this, what is it really good for? Really, 12 million hashes out of a space of 2^128 is truly miniscule.

    1. Re:Doesn't seem very useful by kasperd · · Score: 5, Insightful

      I inserted a number of hashes for common first names and dictionary words, and none of them returned a hit.

      You wouldn't by any chance be using the md5sum command line utility and typing a newline after the word? I just tried my own name, which turned out to be in the database. Could you give just a few examples of the hash values you submitted, and the word you expected it to return?

      --

      Do you care about the security of your wireless mouse?
  6. So what? by kasperd · · Score: 5, Informative

    Any system using plain md5 to hash passwords is broken anyway. Include a salt - and any database over hashes will become useless. Besides if people choose good passwords, they are most likely not in the database. That is already two reasons why people should be protected, do we need anymore?

    For many other uses of cryptographic hashes the input is much more than a single word, and typically you don't really worry about keeping the input a secret anyway.

    --

    Do you care about the security of your wireless mouse?
  7. MD5 is nice but... by nmb3000 · · Score: 5, Informative

    What would be really nice is to see this grow past a simple MD5 database. If you're going to get traffic, you really should get an NTLM database up and start populating it as soon as possible.

    A few other places have these, in differing amounts. Rainbowcrack has tons of them, but require you to submit some before being allowed to query the system. I did submit a few NTLM hash tables, but it took the better part of a week to get my query back (it's supposed to be a lot faster than that).

    There's also Ophcrack which uses tables similar to rainbow tables. It has a web interface to query NTLM hashes for simple passwords.

    With these pre-computed hash tables, basic password security is starting to take a hit and it's becoming more and more worthwhile to use a simple but long password rather than a short and complex one. If you're on Windows, it's also VERY worthwhile to read about forcing Windows to store only the NTLM hash and drop the LM hash. It breaks old compatibility with Win 9x but is very worth it if you don't need that. This helps against precomputed attackes but has an even bigger impact agains brute-force attacks.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
  8. Advantages by Elitist_Phoenix · · Score: 5, Funny

    What advantages does this database have over say a Cray supercomputer, which I could also afford.

    --
    "I'm going to f***ing bury that guy, I have done it before, and I will do it again. I'm going to f***ing kill Google"
  9. For those that don't know by Sycraft-fu · · Score: 5, Informative

    To call LM weak would be an understatement. LM takes passwords up to 14 charackets in length, fine you think until you realise that the way tey did it is to hash 2 7-character strings. This means for any password, you have to crack a max of 7 characters. Oh, and did I meantion it's case insensitive?

    There are existing ranbowtables covering basically the entire LM space but, really, you don't need it. A fast dual core chip will crack it in less than a day.

    The parent is correct in that in all cases you can you should set Windows to only use NTLM, or better yet NTLMv2. We are (finally) getting to do that at work as we purged the last NT and 98 systems from the domain.

  10. Salting *and iterating* by Paul+Crowley · · Score: 5, Interesting

    Actually I have seen many applications that fail to salt passwords before hashing them; it's depressing. Salt should be long enough to be globally unique when randomly generated. Old-style Unix passwords used a 12-bit salt, which was pathetic; 128 bits would be plenty.

    In addition, it's best to iterate the hash many times, which slows down dictionary attacks. See Kelsey, Schneier et al, "Secure Applications of Low-Entropy Keys":

    http://www.schneier.com/paper-low-entropy.html

    The proofs in that paper are based on the assumption that the hash function is collision free, which of course MD5 isn't; another hash function might be preferable.

    --
    Xenu loves you!
  11. Trojan alert by Anonymous Coward · · Score: 5, Informative

    Visiting this site (md5 one) resulted in pop-ups which were loaded with the StartPage Trojan which fortunately F-Secure spotted.

  12. Re:Interestingly... by stray · · Score: 5, Interesting

    Hm, why did I never try this before :-) ?

    echo -n "trustno1" | md5sum
    5fcfd41e547a12215b173ff47fdd3739

    Google for it, nice vector there.
    Disturbing, to say the least.