Cracking md5() - Good luck ;)

PythonPython Forum LeaderThe Royal RAM
in Coding Languages
I just came across a post made at a forum where people were talking about cracking an md5() password and getting the original pass for it...

Apparently even using top-notch hardware it still takes a long time to do... A few days at minimum - In fact I havent actually seen anyone say anything about them being succesful so it could take weeks if not months...

The problem is that md5() is 32 character random encryption and therefore think about how many combinations there could be :)

Anyway... I guess this is just a bit of useless information which might reassure you about the security behind a simple md5() :)

The Royal Ram

Comments

  • ChroderChroder Senior Member The Royal RAM
    The big thing a while ago was when someone finally "broke" the MD5 algorithm for creating the hash (weirdly enough, searching "MD5 broken" on google brings up me :D).

    Since any hash algorithm is taking an undetermined length of data and mushing it into a fixed length (32 chars for MD5, 40 for SHA1 etc), then that means there will always be items that will share the same hash.

    That means you wouldn't even have to know the original data, all you need to do is find a piece of data that happened to produce the same hash. Once you have an efficient way of finding how to produce identical hashes, it becomes more then just cracking a password by bruteforce, and the time it takes is reduced dramatically.

    Cracking a password from scratch depends largely on it's length and the characters used. If it's 4 characters and only uses numbers, then obviously it won't take long to crack (a couple minutes). But if it's mixed-case alphanumeric with 8 characters, then it will take quite a bit more time. And passwords based on words are easily cracked, reducing time dramatically. Nowadays, making a cluster with a few *nix machines is incredibly easy, so the attacker might just set up say, 5 computers, and thus again reducing the time to crack a hash. So all of these factors will contribute to how easily your password hashes can be cracked.

    With that said, public services like passcracking work very well. They get the public to input strings and they crack them. Once they have the cracked string, they record it. After a while, they have a database full of cracked strings and searching for a pre-cracked string is much faster then trying to crack it from the start. That particular service was slashdotted a while ago, so the database is quite large.

    So yes, MD5, SHA1 or any other hash function will give you some extra security. But that doesn't mean you can fling your hashed passwords around, especially if they are simple passwords (words, all one case, etc). If an attacker wants to crack your hash enough, then it will be cracked. Sometimes it might take a couple of hours (ie: bruteforcing through a wordlist with common passwords), and sometimes it might take a month (using a modern computer to bruteforce everything).
    The New Tech - New
    Webmaster-Talk.com
    Chroder.com
  • PythonPython Forum Leader The Royal RAM
    Whoa - thats quite a post. Could do with a member like you around here - would really get things up and running ;)

    Thanks for the post. I was actually a bit unsure about it all but thats cleared it up.

    The Royal Ram

  • ChroderChroder Senior Member The Royal RAM
    I'm no cryptographer, but I read up on hashing algorithms when the SHA0/MD5 hashes were 'broken'.

    I try to pop in every once in a while ;) I saw you on WMT and went, "oh yeah, haven't been there in a while." :D
    The New Tech - New
    Webmaster-Talk.com
    Chroder.com
  • PythonPython Forum Leader The Royal RAM
    I just read up a little about SHA algorithms... WOW - Didnt understand any of it..

    Something about it splitting it up into 80 parts then piecing them together again...woah. I think Ill stick with just the basic PHP for now

    The Royal Ram

Sign In or Register to comment.