Fun with MD5 hashes and Google
Aug. 22nd, 2005 01:23 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
gizaThink that your applications that store passwords as an MD5 hash are secure? Think again:
Searching for 5f4dcc3b5aa765d61d8327deb882cf99 on Google turns up a number of hits in various password files that are on the web for some reason or another. I don't know whether those accounts are active/current, but I still find that prospect rather frightening.
One solution is to use at least 64 bits Salt when creating a hash based on a password. This in turn will require the attacker to make up to 2^64 hashes for each password that the wish to guess. (flaws in MD5 aside)
doug@dmuth ~ $ echo -n "password" |md5sum
5f4dcc3b5aa765d61d8327deb882cf99
5f4dcc3b5aa765d61d8327deb882cf99
Searching for 5f4dcc3b5aa765d61d8327deb882cf99 on Google turns up a number of hits in various password files that are on the web for some reason or another. I don't know whether those accounts are active/current, but I still find that prospect rather frightening.
One solution is to use at least 64 bits Salt when creating a hash based on a password. This in turn will require the attacker to make up to 2^64 hashes for each password that the wish to guess. (flaws in MD5 aside)
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
(no subject)
Date: 2005-08-22 06:12 pm (UTC)(no subject)
Date: 2005-08-22 06:24 pm (UTC)passwd uses the password itself as .... uhhh... "key" to encrypt, does it not?
(t'least that's how it was with FreeBSD 4)
(no subject)
Date: 2005-08-22 06:25 pm (UTC)(no subject)
Date: 2005-08-22 06:33 pm (UTC)(no subject)
Date: 2005-08-22 06:43 pm (UTC)(no subject)
Date: 2005-08-22 06:45 pm (UTC)(no subject)
Date: 2005-08-22 06:49 pm (UTC)Moral(s) of the story: 1) (for users) Don't choose simple passwords, and 2) (for admins) Don't put database dumps in a publically accessable location.
(no subject)
Date: 2005-08-22 09:56 pm (UTC)