Just saw this link posted on Slashdot: http://passcracking.com/
Can MD5 be cracked?
Collapse
X
-
Apparently it can, but probably not for vB3's passwords. Unless you run it through multiple times, and strip out the salt the second time. Hrm. *ponders*"63,000 bugs in the code, 63,000 bugs, you get 1 whacked with a service pack, now there's 63,005 bugs in the code."
"Before you critisize someone, walk a mile in their shoes. That way, when you critisize them, you're a mile away and you have their shoes."
Utopia Software - Current Software: Utopia News Pro (news management system) -
This only applys, at least i think, to a plain MD5
md5(test)
not
the crazyness vBulletin 3 uses to store its hashed passwords.Comment
-
It is still a brute force tool. Just stores hashes of its dictionary terms and compares them for similarity.Translations provided by Google.
Wayne Luke
The Rabid Badger - a vBulletin Cloud demonstration site.
vBulletin 5 APIComment
-
MD5 is a hashing algorithm, not an encryption algorithm. This means, among other things, that data is lost in the process of generating the MD5 hash. There is no way to revert back to the original string (or at least a string that matches one of the 18,446,744,073,709,551,616 MD5 hashes that are 16 hex chars in length) besides a brute force algorithm.--filburt1, vBulletin.org/vBulletinTemplates.com moderator
Web Design Forums.net: vB Board of the Month
vBulletin Mail System (vBMS): webmail for your forum usersComment
-
Mathematically (and logically) speaking, you'd have to take into account the salt, which unless you have it cannot be eliminated from the equation. Therefore the ballpark range of the amount of time required to hack an MD5 hash using vBulletin's variable length salt would be the amount of time it would take to crack an MD5... squared. With the cookie hash, you'd need to crack an additional md5 which would cube the amount of time it takes to crack the password. Or in other words, it isn't happening any time soon.
Edit: The triple hash has so many complications due to the fact that the data is lost in hashing that I doubt that it can be accelerated by caching. While I'm sure that something would be found for the first hash, I doubt that it would be the result of md5(md5(password).salt)+license. The only way to get a password out of a triple hash that with my knowledge I can think of would be a brute force which already has the license key and salt (which would reduce the complexity down to a single hash). If it doesn't, it would be easier to brute force the login screen.Last edited by Shining Arcanine; Sat 3 Jul '04, 3:54pm.Comment
-
Originally posted by LeeCHeSSSI'm not wellversed in this topic, but isn't it *possible* for 2 DIFFERENT strings that are md5-hashed both result in the same hash?
Originally posted by FlorisNo, you can't crack it.Comment
-
Originally posted by LeeCHeSSSI'm not wellversed in this topic, but isn't it *possible* for 2 DIFFERENT strings that are md5-hashed both result in the same hash?
It's mathmatically not possible to reconstruct the original password, as two different words can have the same hash, but it's possible to generate a synonym, so actually yes it can be cracked, but it's not an easy task to doThe price of freedom is eternal vigilance!
- Thomas JeffersonComment
-
Originally posted by FlorisNo, you can't crack it.
Originally posted by XenonAs Icheb said already, yes, two different strings can have the same md5 hashcode, so therfore you can find out synonyms for passwords.
It's mathmatically not possible to reconstruct the original password, as two different words can have the same hash, but it's possible to generate a synonym, so actually yes it can be cracked, but it's not an easy task to doComment
-
I was pointing out that it can be done because Xenon said that it is not possible to reconstruct the orignal password. I didn't say that you had to.Comment
-
Originally posted by LeeCHeSSSI'm not wellversed in this topic, but isn't it *possible* for 2 DIFFERENT strings that are md5-hashed both result in the same hash?
Also, don't forget that the MD5 hash of 'bla' and of a 4GB file will both be a 32 character string.
Although it is possible to test the MD5 hash of all three letter combinations and eventually work out that what you have is the MD5 hash of 'bla', it is impossible to reverse the MD5 process - you could never recover the 4GB file from its 32 character MD5 hash.Comment
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Comment