phpSensei Posted August 30, 2007 Share Posted August 30, 2007 I can't tell weather this proves anything or not, but you can actually crack any md5 hash number here... http://gdataonline.com/seekhash.php I thought md5 was safe.. Quote Link to comment Share on other sites More sharing options...
Jessica Posted August 30, 2007 Share Posted August 30, 2007 Not any...just 699,735 of them. It's not even really cracked...it's just like brute-forcing. No encryption can be 100% safe because of this method. Do you see how it works? It has a database of words and their hashes. So you enter a hashed string and it just looks up what the word is, if it has it. Quote Link to comment Share on other sites More sharing options...
phpSensei Posted August 30, 2007 Author Share Posted August 30, 2007 You sure? I will try my last name and see if it works... Lastname: Dowlatkhahi <<< Don't ask. :-\ Quote Link to comment Share on other sites More sharing options...
Jessica Posted August 30, 2007 Share Posted August 30, 2007 Well they probably won't have that in their database...but it if works, let me know. Quote Link to comment Share on other sites More sharing options...
Jessica Posted August 30, 2007 Share Posted August 30, 2007 I actually have that site bookmarked. Here are a few others: http://www.tmto.org/?category=main&page=search http://md5.rednoize.com/ http://md5.shalla.de/cgi-bin/index.cgi Quote Link to comment Share on other sites More sharing options...
phpSensei Posted August 30, 2007 Author Share Posted August 30, 2007 Whats with the Downtime... I really think we need a general discussion forum. NO IT DIDNT! lol, the site is as you said. Just some cheap site based on luck really.. Quote Link to comment Share on other sites More sharing options...
Psycho Posted August 30, 2007 Share Posted August 30, 2007 One thing many don't understand is that MD5 is a hash, not an encryption. That site is only able to "guess" the value based upon a dictionary of "common" values. Every MD5 has has MANY possible values that could have created that hash. So, the MD5 has for "password" could be the same MD5 hash for "UFD*(SFH&*FN^F^&G(GD^Gfdhs78feft56r5R%^bd66". So, just because that site came up with a value that creates the MD5 entered does not mean it was the same value you used to create the MD5. That is the power of a hash. There is (theoretically) no possible way to reverse a hash. I say theoretically, because we (prorgammers) sometimes put limits on the possible values which shrinks the available hashes. If you were to have a password field that took only up to 10 characters and only accepted numbers and lower case characters, it would be a pretty easy process to create a hash for every possible value to compare it against. With encryption there is always a way to decrypt it. If the key get compromised all the encrypted data is at risk. However, encryption and hashing are two entirely different things and should never be considered the same thing. Just as you wouldn't want to encrypt a password, you would never want to hash data such as a credit card number that you need to retrieve at a later time. Here are a comple simple examples: Using a system that transposes every letter with another letter would be a form of encryption: A = b, B = C, etc. So, "password" becomes "qbttxpse" However assigning a number to every letter and then suming the total would be a hash: a = 1, b = 2, etc. "password" = 16 + 1 + 19 + 19 + 23 + 15 + 18 + 4 = 115 It should be pretty obvious that you could create other combinations that would result in the same value. So, you could never be certain what value was used to create 115. EDIT: And all of this is the reason why you are always encouraged to use a STRONG password. If you used something such as "apple", then that will already exist in a database of hashes. But the time and resources needed to create exponentially more hash lookups such that "@PP1e" would be in the lookup list would be great. Quote Link to comment Share on other sites More sharing options...
Jessica Posted August 30, 2007 Share Posted August 30, 2007 Not really. It's not "luck", it's a reverse lookup, like I said. If it's a common word, it will be in there. That's another reason to use hard passwords. Instead of "mynameisbob" do "MyN@m3!$B0b" - even if mynameisbob is in the database, I doubt the second one is. Quote Link to comment Share on other sites More sharing options...
dbo Posted August 30, 2007 Share Posted August 30, 2007 MD5 hashes are pretty safe if used correctly, always salt them. If other measures in place it's pretty safe. IF you allow for 3 failures then lock an account for 3 minutes before continuing it's going to take a script years and years and years to be able to attempt all possible solutions of a password. In even more secure environments you could require a password change after 3 failed attempts. Saying that we could easily write a program to test all possible combinations of letters, characters and numbers is just ridiculous.... think about how many possible combinations that is, and then putting one of the above measures on top of it pretty much seals the deal. It's security in layers my friends... always security in layers. Quote Link to comment Share on other sites More sharing options...
BRUm Posted August 30, 2007 Share Posted August 30, 2007 You shouldn't be asking how safe MD5 is, you should be asking "How can I make my hashes safer". Now, these hash "cracking" sites are utter useless if you use MD5() properly. Have you ever heard of a salt or key? It would be practically impossible for these sites to crack a hash with my own personal salt: md5("$username$password$key"); Where $salt is something personal. For example, say I want a secure login for my blog, I may have the $key as the name of my blog + the name of my cat. Quote Link to comment Share on other sites More sharing options...
Jessica Posted August 30, 2007 Share Posted August 30, 2007 Also, if someone has got ahold of your hashed password and is trying to figure out the real one, you've got bigger problems. How'd they get it in the first place? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.