potential problem with md5?
Moderator: General Moderators
-
malcolmboston
- DevNet Resident
- Posts: 1826
- Joined: Tue Nov 18, 2003 1:09 pm
- Location: Middlesbrough, UK
potential problem with md5?
i have been recently working with MD5 extensively and creating some dummy accounts so im able to login with people with different credentials
however i have a memory like a fish so i keep all the passwords the same and obviously MD5 value ends up the same for all the users.
My Question is this
What is stopping a group of hackers creating an application that converts a piece of text into its md5 value?
for eg value for dictionary -> 347687234dbfdbfHB44532 blah blah
why dont people do this?
i know that it changes with capitalisation etc, but from my knowledge most people have there passwords all lowercase and of the less secure form (an actual word)
however i have a memory like a fish so i keep all the passwords the same and obviously MD5 value ends up the same for all the users.
My Question is this
What is stopping a group of hackers creating an application that converts a piece of text into its md5 value?
for eg value for dictionary -> 347687234dbfdbfHB44532 blah blah
why dont people do this?
i know that it changes with capitalisation etc, but from my knowledge most people have there passwords all lowercase and of the less secure form (an actual word)
-
malcolmboston
- DevNet Resident
- Posts: 1826
- Joined: Tue Nov 18, 2003 1:09 pm
- Location: Middlesbrough, UK
ok most sites nowadays use MD5 for there passwording system
now people say MD5 is very difficult to be 'reverse engineered' well surely its possible to build a database of MD5 values for words, and then be able to 'search teh text' and get the 'english' value back
i was just wondering why / if it has been done?
now people say MD5 is very difficult to be 'reverse engineered' well surely its possible to build a database of MD5 values for words, and then be able to 'search teh text' and get the 'english' value back
i was just wondering why / if it has been done?
md5 depends on how you seed it, i.e. the string you're encoding with it. Same string produces different md5 string. Different string produces different md5 string. It's a basically an advanced checksum creator (note: advanced
)
Since it's only one-way encryption you can only check against an existing value (md5("blah") = md5("blah")).
So, logically, I don't quite understand your question. You mean why isn't anyone building an md5 dictionary?
Remember that md5 returns a string of a set length, no matter how long the input string. To have a dictionary you'd have to create all possible words, modifcations, misspellings, non-sensical words from all sorts of different cultural backgrounds etc.
Even if you would do that, you'd then need to write a routing to loop check an md5 string against every single one of them - in short, brute-forcing md5.
That will take a long, long, long time - and does not mean that you will succeed.
I am not familiar with cracking, but I would imagine there are quicker and more elegant ways of cracking an account.
As you say: the security of the password depends to a high degree on the user.
Since it's only one-way encryption you can only check against an existing value (md5("blah") = md5("blah")).
So, logically, I don't quite understand your question. You mean why isn't anyone building an md5 dictionary?
Remember that md5 returns a string of a set length, no matter how long the input string. To have a dictionary you'd have to create all possible words, modifcations, misspellings, non-sensical words from all sorts of different cultural backgrounds etc.
Even if you would do that, you'd then need to write a routing to loop check an md5 string against every single one of them - in short, brute-forcing md5.
That will take a long, long, long time - and does not mean that you will succeed.
I am not familiar with cracking, but I would imagine there are quicker and more elegant ways of cracking an account.
As you say: the security of the password depends to a high degree on the user.
-
malcolmboston
- DevNet Resident
- Posts: 1826
- Joined: Tue Nov 18, 2003 1:09 pm
- Location: Middlesbrough, UK
lol, dont get me wrong i mean, i have no use for this sort of thing.
I actually have alot of respect for hackers even though they are the bain of my career choice.
I just noticed that if i inputted words into the database and tehn MD5'd the, they would come back with with the same MD5 string inside the database so in my head i thought it perfectly reasonable to assume that a simple sort of MD5 dictionary could be used
I actually have alot of respect for hackers even though they are the bain of my career choice.
I just noticed that if i inputted words into the database and tehn MD5'd the, they would come back with with the same MD5 string inside the database so in my head i thought it perfectly reasonable to assume that a simple sort of MD5 dictionary could be used
-
malcolmboston
- DevNet Resident
- Posts: 1826
- Joined: Tue Nov 18, 2003 1:09 pm
- Location: Middlesbrough, UK
just re-read your post
fine you have to take into account difference in language but seeing as english seems to be the most used language on the net, then if you could somehow get a list of everyword in the dictionary (not including A etc, just more complex 4+ letter words) then i know for a fact i could create what im talking about in less than 10 minutes using insert behaviours simply inserting the MD5 value as well as the plain english into a database
any more thoughts on this sort of thing peeps?
fine you have to take into account difference in language but seeing as english seems to be the most used language on the net, then if you could somehow get a list of everyword in the dictionary (not including A etc, just more complex 4+ letter words) then i know for a fact i could create what im talking about in less than 10 minutes using insert behaviours simply inserting the MD5 value as well as the plain english into a database
any more thoughts on this sort of thing peeps?
I understand what you're saying.
Though for a hacker to even attempt this, it would mean he would have access to the db passwords, which is very unlikely.
But in the event that a hacker does have db access, from what I understand, you're asking can't a hacker just build his own db of pre-made dictionary words converted into md5, and check those againts the passwords that are already in md5 form?
hmm, though I have thought up this situation, I rarely gave much more thought into it; because it would take a damn good hacker to first: (a) get my passwords out of the db, and then (b) use this pre-made md5 dictionary method of finding out everyones info.
But this is has sparked my interested and I'm going to make an experiment to try this out, for educational reasons of course.
Even though it's a very rare situation, there is always a chance where it might happen.
So like I always say: To prevent a hacking, you must hack yourself to see all that is possible, and then do all you can to stop those possibilities.
Though for a hacker to even attempt this, it would mean he would have access to the db passwords, which is very unlikely.
But in the event that a hacker does have db access, from what I understand, you're asking can't a hacker just build his own db of pre-made dictionary words converted into md5, and check those againts the passwords that are already in md5 form?
hmm, though I have thought up this situation, I rarely gave much more thought into it; because it would take a damn good hacker to first: (a) get my passwords out of the db, and then (b) use this pre-made md5 dictionary method of finding out everyones info.
But this is has sparked my interested and I'm going to make an experiment to try this out, for educational reasons of course.
So like I always say: To prevent a hacking, you must hack yourself to see all that is possible, and then do all you can to stop those possibilities.
-
malcolmboston
- DevNet Resident
- Posts: 1826
- Joined: Tue Nov 18, 2003 1:09 pm
- Location: Middlesbrough, UK
personally common sense tells me that my MD5 dictionary method should theoretically work, if i can find a list of every word or all a huge amount of common english words then im gonna build it and experiment even though i know that it should work, lol but im not getting out my dictionary to start inputting words
now on to my next question that sami raised into my head
how exactly might one hack into my database now obviously i use both LAMP and WAMP and ive always wondered how exactly someone would in theory at least hack directly into the actual database?
like sami said to stop hackers you muct learn to be one
now on to my next question that sami raised into my head
how exactly might one hack into my database now obviously i use both LAMP and WAMP and ive always wondered how exactly someone would in theory at least hack directly into the actual database?
like sami said to stop hackers you muct learn to be one
-
malcolmboston
- DevNet Resident
- Posts: 1826
- Joined: Tue Nov 18, 2003 1:09 pm
- Location: Middlesbrough, UK
I could have sworn it was more words than that. I remember last English class I took my teacher said English is first with 1.whatever million and German is a close second. heh
Anyway regarding the question you raised malcolm, I've seen very unsecure open source applications before. One was so bad that it allowed a hacker to remotely run scripts on that server. And the script had an active db connection, so this meant just about anything that particular user has access to, can be executed/done/deleted/whatever.
One might ask, But how would a hacker know the db info, like database names, tables, etc? The solution is simple. If a remote script has db access, it can run a "show databases", and then "show tables", and ultimately "show columns" (I think, it's been a while..). This would expose all the data within all the tables within all the databases. heh
Maybe I'm a little slow cause I'm tired but I don't understand this:
Anyway regarding the question you raised malcolm, I've seen very unsecure open source applications before. One was so bad that it allowed a hacker to remotely run scripts on that server. And the script had an active db connection, so this meant just about anything that particular user has access to, can be executed/done/deleted/whatever.
One might ask, But how would a hacker know the db info, like database names, tables, etc? The solution is simple. If a remote script has db access, it can run a "show databases", and then "show tables", and ultimately "show columns" (I think, it's been a while..). This would expose all the data within all the tables within all the databases. heh
Yes, common sense tells me this will work too. And hopefully this experiment is successful.personally common sense tells me that my MD5 dictionary method should theoretically work
Maybe I'm a little slow cause I'm tired but I don't understand this:
Can someone, possibly patrick, explain this?md5 depends on how you seed it, i.e. the string you're encoding with it. Same string produces different md5 string. Different string produces different md5 string.
-
malcolmboston
- DevNet Resident
- Posts: 1826
- Joined: Tue Nov 18, 2003 1:09 pm
- Location: Middlesbrough, UK
me neither, initial tests show (lol, i sound like a scientist) that the same string does not ever produce a different MD5 valuesami wrote:Maybe I'm a little slow cause I'm tired but I don't understand this:
patrick wrote:
md5 depends on how you seed it, i.e. the string you're encoding with it. Same string produces different md5 string. Different string produces different md5 string.
-----------------------------------------------------------------------------
to further highlight some questions sami nicely answered
ok, i believe i understand this now, however i believe, havent tested it yet mind, but i believe im safe from thissami wrote: One might ask, But how would a hacker know the db info, like database names, tables, etc? The solution is simple. If a remote script has db access, it can run a "show databases", and then "show tables", and ultimately "show rows" (I think, it's been a while..). This would expose all the data within all the tables within all the databases. heh
i personally have a "global file" called dbhandler.php which is required in every script which has all connection information however ive always found that the less someone knows about the site the better so i built a custom error management feature into the site so no matter what failure, a hacker wont easily no what is wrong and will just think, o well the sites down for "essential content upgrades", so this should theoretically stop a hacker from knowing what is wrong with my site and walking straight through the hole in it or attacking it directly
so hopefully im safe from such misdeameanors *fingers crossed*
good to see theres for once a meaningful 'discussion' on these forums anyway