spike
Couch potato
Posts: 10
|
Post by spike on Dec 4, 2006 21:59:02 GMT
tritraveller,
What you say regarding attacks is true as far as it goes but I think the situation we're discussing is where a hacker has obtained the hashed passwords. He or she is therefore able to perform the brute force attack at leisure without any login screens getting in the way. If a password were to be cracked, its owner will be in a bad way if it's the same as the owner's banking password(s).
|
|
|
Post by tritraveller on Dec 5, 2006 1:05:46 GMT
Ahhh yes, I went back and read it again... What is being suggested is that the hacker has the password file which has the MD5 encrypted passwords and that they can run any number of attempts to decrypt each password in the file without going to a logon screen.
However, the passwords can only be verified by testing them against a system, and since the MD5 algorythm will produce output rather than fail completely, you won't know if its valid until you try it. Ergo, same problem.
Either way, it just shows that you shouldn't have all your passwords the same. I couldn't ever remember mt TT password, I set it years ago and have used firefox to manage since then...
|
|
|
Post by dirtydavey on Dec 5, 2006 9:44:52 GMT
The problem with the MD5 algorithm is that there are a number of well known weaknesses with it. Even more worrying is that there are also many places on the net which provide a reverse look up for an MD5 hash string. Basically, if you've got the MD5 cyphertext, getting hold of the plain text (your password) is a piece of piss. There's not any need for a brute force attack.
MD5 is a massive vulnerability in any system.
|
|
|
Post by bigbopper on Dec 5, 2006 9:53:48 GMT
But you shouldn't use the same password for everything. I have one secure password I use for Amazon and banking, and other ones for sites like TT.
BB
|
|
|
Post by icklenick on Dec 5, 2006 12:18:48 GMT
The problem with the MD5 algorithm is that there are a number of well known weaknesses with it. Even more worrying is that there are also many places on the net which provide a reverse look up for an MD5 hash string. Basically, if you've got the MD5 cyphertext, getting hold of the plain text (your password) is a piece of piss. There's not any need for a brute force attack. MD5 is a massive vulnerability in any system. Yes, MD5 is weak but I thought that those collisions were between data which is much larger than a password where you had more room to manipulate the data to produce the same hash. I doubt that you could easily get a collision between messages of a few bytes. I'm guessing that the MD5 reverse lookup is just a very very large database of password/hash pairs. You can fit a few hundred million entries in a database with a couple of gig of ram and you'll hit most of the common passwords (depending on whether there's a salt or not). With distributed computing and efficient database software this is becoming a very real threat.
|
|