New Online MD5 Hash Database 295
Gravix writes with a shameless plug for his new site "Sporting over 12 million entries, project GDataOnline is one of the largest non-RainbowTable based MD5 crackers on the internet. The database spans over 7 languages, 35 topics, and contains common mutations to words that include numbers and capitalization. Average crack time for 5 hashes: .04 seconds. No more waiting weeks for your results!" Shameless plug aside, the site still seems worth a closer look.
So what? (Score:5, Informative)
For many other uses of cryptographic hashes the input is much more than a single word, and typically you don't really worry about keeping the input a secret anyway.
Re:Doesn't seem very useful (Score:5, Informative)
You wouldn't by any chance be using the md5sum command line utility and typing a newline after the word? I just tried my own name, which turned out to be in the database. Could you give just a few examples of the hash values you submitted, and the word you expected it to return?
Oops, right you are, that's exactly what I was doing... tried the same words with echo -n and they were in fact in the database.
/me wipes egg off face
Re:Linux (Score:3, Informative)
Re:Hmmm... (Score:2, Informative)
http://en.wikipedia.org/wiki/Salt_(cryptography) [wikipedia.org]
Re:Downloadable database form? (Score:5, Informative)
Re:wow (Score:4, Informative)
MD5 is nice but... (Score:5, Informative)
A few other places have these, in differing amounts. Rainbowcrack [rainbowcrack.com] has tons of them, but require you to submit some before being allowed to query the system. I did submit a few NTLM hash tables, but it took the better part of a week to get my query back (it's supposed to be a lot faster than that).
There's also Ophcrack [lasecwww.epfl.ch] which uses tables similar to rainbow tables. It has a web interface to query NTLM hashes for simple passwords.
With these pre-computed hash tables, basic password security is starting to take a hit and it's becoming more and more worthwhile to use a simple but long password rather than a short and complex one. If you're on Windows, it's also VERY worthwhile to read about forcing Windows to store only the NTLM hash and drop the LM hash [microsoft.com]. It breaks old compatibility with Win 9x but is very worth it if you don't need that. This helps against precomputed attackes but has an even bigger impact agains brute-force attacks.
Re:Linux (Score:5, Informative)
For those that don't know (Score:5, Informative)
There are existing ranbowtables covering basically the entire LM space but, really, you don't need it. A fast dual core chip will crack it in less than a day.
The parent is correct in that in all cases you can you should set Windows to only use NTLM, or better yet NTLMv2. We are (finally) getting to do that at work as we purged the last NT and 98 systems from the domain.
Re:Crypto experts... SHA1? (Score:3, Informative)
It works for any hash function.
Re:Crypto experts... SHA1? (Score:4, Informative)
The upshot is: (1) yes, you can do this, it's just brute-force; (2) it's not as easy with MD-5.
Lea
Re:Downloadable database form? (Score:5, Informative)
Re:Hmmm... (Score:4, Informative)
Anyway: MD5 hashes over a certain dataset are not unique. Two datasets can result in the same MD5 hash, assuming a fixed has length. This database could point those out too.
As last remark: This kind of database use has been done before by chess engines. By just storing most succesful board setups, the next moves could be executed more effectively and a lot faster.
Re:Compression Algorithm (Score:3, Informative)
Trojan alert (Score:5, Informative)
Re:oh, i get it! (Score:3, Informative)
6436a55a08760c5b94dbed4476f83fcd -
Re:Hmmm... (Score:3, Informative)
Re:You might expect that... (Score:5, Informative)
"slashdot.org<my password>" will render any generic databases like GData useless for Slashdot password searching. It means someone has to build up a Slashdot specific database using a dictionary first. That is all a salt is really for, to inconvenience a dictionary attack.
"slashdot.orgbaadger<my password>" (<site><username><password>) would be better as it means the cracker has to build a database specific to slashdot and my username.
So yes these passwords are salted, using the domain just saves the plugin having to save random salts somewhere.
Re:Trojan alert (Score:1, Informative)
Re:quick (Score:3, Informative)
Re:Hmmm... (Score:2, Informative)
Yes, but you need shell access to do it.
Re:Downloadable database form? (Score:5, Informative)
It's called a password "salt", and many applications use them. It's much better to use a large random value stored in the clear than the username.
Microsoft, of course, is screwed by the need to provide backward compatibilitty, and does not salt the (MD4-based) NTLMv2 hash stored on Windows systems. They encrypt the whole hash database instead to prevent offline attacks, but this is ineffective as the decryption key is also "hidden" on the system's disk unless you want requrie a diskette/CD/floppy at boot that contains the decryption "syskey".
Re:Hmmm... (Score:3, Informative)
If you think about it hashing your passwords in a database is almost an admittance [tha] you're database will probably be comprimised
No, it's a recognition of the fact that it's at least theoretically possible that your database might be compromised at some point in the future. And anyone who isn't an idiot will design their systems in such a way as to minimize the damage that can be caused by a single point of failure. That's not an admission of incompetence, it's plain common sense.
Another Reason.... (Score:3, Informative)
If the user's password is stored in plain text, they can claim that you, the system administrator, have access to it. This increases your liability as the user can now disclaim responsibility for actions taken with that password, on any other system where it is used -- after all, they could have been impersonated, and they can accuse you of being the culprit.
-Hope