potential problem with md5?

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

potential problem with md5?

Post by malcolmboston »

i have been recently working with MD5 extensively and creating some dummy accounts so im able to login with people with different credentials

however i have a memory like a fish so i keep all the passwords the same and obviously MD5 value ends up the same for all the users.

My Question is this

What is stopping a group of hackers creating an application that converts a piece of text into its md5 value?

for eg value for dictionary -> 347687234dbfdbfHB44532 blah blah

why dont people do this?

i know that it changes with capitalisation etc, but from my knowledge most people have there passwords all lowercase and of the less secure form (an actual word)
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

i don't get what your asking?
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

ok most sites nowadays use MD5 for there passwording system

now people say MD5 is very difficult to be 'reverse engineered' well surely its possible to build a database of MD5 values for words, and then be able to 'search teh text' and get the 'english' value back

i was just wondering why / if it has been done?
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

md5 depends on how you seed it, i.e. the string you're encoding with it. Same string produces different md5 string. Different string produces different md5 string. It's a basically an advanced checksum creator (note: advanced ;))

Since it's only one-way encryption you can only check against an existing value (md5("blah") = md5("blah")).

So, logically, I don't quite understand your question. You mean why isn't anyone building an md5 dictionary?
Remember that md5 returns a string of a set length, no matter how long the input string. To have a dictionary you'd have to create all possible words, modifcations, misspellings, non-sensical words from all sorts of different cultural backgrounds etc.
Even if you would do that, you'd then need to write a routing to loop check an md5 string against every single one of them - in short, brute-forcing md5.
That will take a long, long, long time - and does not mean that you will succeed.

I am not familiar with cracking, but I would imagine there are quicker and more elegant ways of cracking an account.

As you say: the security of the password depends to a high degree on the user.
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

lol, dont get me wrong i mean, i have no use for this sort of thing.

I actually have alot of respect for hackers even though they are the bain of my career choice.

I just noticed that if i inputted words into the database and tehn MD5'd the, they would come back with with the same MD5 string inside the database so in my head i thought it perfectly reasonable to assume that a simple sort of MD5 dictionary could be used
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

just re-read your post

fine you have to take into account difference in language but seeing as english seems to be the most used language on the net, then if you could somehow get a list of everyword in the dictionary (not including A etc, just more complex 4+ letter words) then i know for a fact i could create what im talking about in less than 10 minutes using insert behaviours simply inserting the MD5 value as well as the plain english into a database

any more thoughts on this sort of thing peeps?
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

Lets not forget that MD5 isn't encryption, it's just a hash that is intended to verify data integrity, using it as the soles means to 'protect' your database/whatever passwords is a bit ... silly, for want of a better word. (imho)

;)
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

The one great answer to your question is: try it yourself and see if you can break it and tell us of your experience :)
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

I understand what you're saying.

Though for a hacker to even attempt this, it would mean he would have access to the db passwords, which is very unlikely.

But in the event that a hacker does have db access, from what I understand, you're asking can't a hacker just build his own db of pre-made dictionary words converted into md5, and check those againts the passwords that are already in md5 form?

hmm, though I have thought up this situation, I rarely gave much more thought into it; because it would take a damn good hacker to first: (a) get my passwords out of the db, and then (b) use this pre-made md5 dictionary method of finding out everyones info.

But this is has sparked my interested and I'm going to make an experiment to try this out, for educational reasons of course. ;) Even though it's a very rare situation, there is always a chance where it might happen.

So like I always say: To prevent a hacking, you must hack yourself to see all that is possible, and then do all you can to stop those possibilities.
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

personally common sense tells me that my MD5 dictionary method should theoretically work, if i can find a list of every word or all a huge amount of common english words then im gonna build it and experiment even though i know that it should work, lol but im not getting out my dictionary to start inputting words

now on to my next question that sami raised into my head

how exactly might one hack into my database now obviously i use both LAMP and WAMP and ive always wondered how exactly someone would in theory at least hack directly into the actual database?

like sami said to stop hackers you muct learn to be one
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Bear in mind that English has roughly 500.000 words - which makes it the language with largest vocabulary. A typical native English speaker only uses about 5-8000 of those.

Which 5-8000 of the 500.000 is for you to find out ;)
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

however to stop this method you could possibly just keep MD5'ing the MD5 values :lol: thats should keep em busy for a good few millennia
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

I could have sworn it was more words than that. I remember last English class I took my teacher said English is first with 1.whatever million and German is a close second. heh

Anyway regarding the question you raised malcolm, I've seen very unsecure open source applications before. One was so bad that it allowed a hacker to remotely run scripts on that server. And the script had an active db connection, so this meant just about anything that particular user has access to, can be executed/done/deleted/whatever.

One might ask, But how would a hacker know the db info, like database names, tables, etc? The solution is simple. If a remote script has db access, it can run a "show databases", and then "show tables", and ultimately "show columns" (I think, it's been a while..). This would expose all the data within all the tables within all the databases. heh
personally common sense tells me that my MD5 dictionary method should theoretically work
Yes, common sense tells me this will work too. And hopefully this experiment is successful.

Maybe I'm a little slow cause I'm tired but I don't understand this:
md5 depends on how you seed it, i.e. the string you're encoding with it. Same string produces different md5 string. Different string produces different md5 string.
Can someone, possibly patrick, explain this?
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

What I meant is that md5 does not produce the same hash for the same word every time.

I was going into possibility 1 of what malcom's question was - i.e. build a md5 hash-dictionary. Option 2 was to build a word(!) dictionary.
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

sami wrote:Maybe I'm a little slow cause I'm tired but I don't understand this:
patrick wrote:
md5 depends on how you seed it, i.e. the string you're encoding with it. Same string produces different md5 string. Different string produces different md5 string.
me neither, initial tests show (lol, i sound like a scientist) that the same string does not ever produce a different MD5 value

-----------------------------------------------------------------------------
to further highlight some questions sami nicely answered
sami wrote: One might ask, But how would a hacker know the db info, like database names, tables, etc? The solution is simple. If a remote script has db access, it can run a "show databases", and then "show tables", and ultimately "show rows" (I think, it's been a while..). This would expose all the data within all the tables within all the databases. heh
ok, i believe i understand this now, however i believe, havent tested it yet mind, but i believe im safe from this

i personally have a "global file" called dbhandler.php which is required in every script which has all connection information however ive always found that the less someone knows about the site the better so i built a custom error management feature into the site so no matter what failure, a hacker wont easily no what is wrong and will just think, o well the sites down for "essential content upgrades", so this should theoretically stop a hacker from knowing what is wrong with my site and walking straight through the hole in it or attacking it directly

so hopefully im safe from such misdeameanors *fingers crossed*

good to see theres for once a meaningful 'discussion' on these forums anyway :lol:
Post Reply