Fun with MD5 hashes and Google
Aug. 22nd, 2005 01:23 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
gizaThink that your applications that store passwords as an MD5 hash are secure? Think again:
Searching for 5f4dcc3b5aa765d61d8327deb882cf99 on Google turns up a number of hits in various password files that are on the web for some reason or another. I don't know whether those accounts are active/current, but I still find that prospect rather frightening.
One solution is to use at least 64 bits Salt when creating a hash based on a password. This in turn will require the attacker to make up to 2^64 hashes for each password that the wish to guess. (flaws in MD5 aside)
doug@dmuth ~ $ echo -n "password" |md5sum
5f4dcc3b5aa765d61d8327deb882cf99
5f4dcc3b5aa765d61d8327deb882cf99
Searching for 5f4dcc3b5aa765d61d8327deb882cf99 on Google turns up a number of hits in various password files that are on the web for some reason or another. I don't know whether those accounts are active/current, but I still find that prospect rather frightening.
One solution is to use at least 64 bits Salt when creating a hash based on a password. This in turn will require the attacker to make up to 2^64 hashes for each password that the wish to guess. (flaws in MD5 aside)