WebApp Sec mailing list archives
Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection)
From: "Serban Ghita" <serban () verasys ro>
Date: Tue, 23 Aug 2005 18:12:25 +0300
i don't think 12 milions is a big number especially when the database contains only a hash (32 chars) and plain text passwd (eg max 10-12 chars). if you run a simple bruteforce text + md5(text) function on a sql database on an average computer and insert the results, you get in a couple of hours over half a bilion results. but it's still no big deal because you only have passwords up to maybe 6-7 characters and with a simple charset of alphanumeric [0-9][a-z] (whithout uppercase), and without special characters including space.
as a paragraph here: i tested to see what is more efficient (besides the rainbow crack) method to find a hash, and tried both SQL like databases and flat text. Flat text records require less space, but have high search times/results.
my oppinions were based on real tests, if you want i can publish more details if you are interested.
Serban Gh. Ghita coordonator Departament Web VERASYS Intl. serban () verasys ro zamolxe () php net http://web.verasys.ro phone: +40-21-201.67.62 cell: +40-788.28.29.10----- Original Message ----- From: "Jean-Jacques Halans" <halans () gmail com>
To: "Gary Gwin" <ggwin () cafesoft com> Cc: <webappsec () securityfocus com> Sent: Monday, August 22, 2005 11:57 AMSubject: Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection)
Still on the topic of MD5 hashes..., here's an online (multilingual) database with md5 hashes, containing "12,289,330 unique entries". http://gdataonline.com/ --Halans
Current thread:
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) mike (Aug 16)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Noam Eppel (Aug 16)
- Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Oleg Topchiy (Aug 17)
- Re: Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Chuck (Aug 17)
- Re: MD5 Password encoding, "straight" vs "salted" hashes Peter Watkins (Aug 17)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Thomas Chiverton (Aug 17)
- Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Oleg Topchiy (Aug 17)
- <Possible follow-ups>
- RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Cyrill Osterwalder (Aug 17)
- RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Bond Masuda (Aug 17)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Gary Gwin (Aug 18)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Jean-Jacques Halans (Aug 22)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Serban Ghita (Aug 23)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Noam Eppel (Aug 16)
- Re: RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) mike (Aug 17)