Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: MD5 hash cracking service
From: "Kurt Seifried" <listuser () seifried org>
Date: Fri, 2 Jul 2004 15:15:24 -0700

Minor correction: MD5 does suffer from potential collisions, that is two
different inputs can have the same MD5 output. Since the majority of systems
only store the MD5 and nothing else (like say what the first letter was, or
a SHA hash) if you find an input (not necessarily the "correct" one) that
results in the same MD5 hash the system will accept it as legitimate since
the hash values match. The chances of such a collision occuring, against
arbitrary data such as "this_is_my_password" are rare, especially when you
consider the limitations on passwords (length, ascii characters, etc.). The
beauty of the rainbow tables is once you've "cracked" a password (i.e. taken
a value, MD5'ed it, stored it in the DB) your only further requirement is
storage (which is dirt cheap now) and search costs (which is pretty cheap
since you have it all nicely done up in tables).

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]