My blog has moved! Redirecting...

You should be automatically redirected. If not, visit http://ripper234.com and update your bookmarks.

21 November 2007

Using Google to reverse MD5 and how I almost revealed my password to the world

In this article Steven explains how he used Google to find the password for a given MD5 hash for a user that hacked into his site.

In one of the comments a reader points to this website that offers a direct database of md5 hashes. You enter a string and get its MD5, you enter an MD5 and (if it's known) you get the original string.

The database only works on known (text, MD5) pairs. If I ask for the text of an MD5 the db hasn't seen before, it won't give an answer.

I use a single password to all my internet activities, because I'm lazy. So I almost went ahead and entered that password into the md5 database in order to check if the md5 is known. Then I realized how stupid this would be - it would actually add the information to the db, and actually reveal to the world my password.

Instead I privately checked what my MD5 is (using this C# code), then entered the MD5 into the DB to check if it knows the original password.

The result? No it doesn't :)

3 comments:

Eran said...

Rainbow Tables are a very old trick (probably as old as encryption itself, but in the computers world became famous around the 70'S), today they are considered easy to be protected from by introducing random factors to the hash algorithm.

Strange that most sites and program still use such easily cracked methods.

ripper234 said...

Usually the "random factors" are just appending some random text/timestamp to the hashed text, preventing duplicate hashes. Yes, this is very basic.

I don't know if "most sites still use these methods", but obviously some do.

Eli Bendersky said...

Salting has been a part of Unix's passwd system since its inception, for this very reason.

It was prudent of you not to enter the password ;-)