[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] MD5 hash cracking service

To: "Dave King" <dave@xxxxxxxxxxxxx>, "Gregory A. Gilliss" <ggilliss@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] MD5 hash cracking service
From: "Kurt Seifried" <listuser@xxxxxxxxxxxx>
Date: Fri, 2 Jul 2004 15:15:24 -0700

Minor correction: MD5 does suffer from potential collisions, that is two
different inputs can have the same MD5 output. Since the majority of systems
only store the MD5 and nothing else (like say what the first letter was, or
a SHA hash) if you find an input (not necessarily the "correct" one) that
results in the same MD5 hash the system will accept it as legitimate since
the hash values match. The chances of such a collision occuring, against
arbitrary data such as "this_is_my_password" are rare, especially when you
consider the limitations on passwords (length, ascii characters, etc.). The
beauty of the rainbow tables is once you've "cracked" a password (i.e. taken
a value, MD5'ed it, stored it in the DB) your only further requirement is
storage (which is dirt cheap now) and search costs (which is pretty cheap
since you have it all nicely done up in tables).

Kurt Seifried, kurt@xxxxxxxxxxxx
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] MD5 hash cracking service
  - From: md5er
- Re: [Full-Disclosure] MD5 hash cracking service
  - From: Gregory A. Gilliss
- Re: [Full-Disclosure] MD5 hash cracking service
  - From: Dave King

Prev by Date: Re: [Full-Disclosure] Web sites compromised by IIS attack
Next by Date: RE: [Full-Disclosure] Fix for IE ADODB.Stream vulnerability is ou t
Previous by thread: Re: [Full-Disclosure] MD5 hash cracking service
Next by thread: Re: [Full-Disclosure] MD5 hash cracking service
Index(es):
- Date
- Thread