potential problem with md5?

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

8)
malcolmboston wrote:so hopefully im safe from such misdeameanors *fingers crossed*
Yeah if you're application is not open source, the likelyhood of such events is slim to none. :wink:

But then again, anything could happen.

Hey I finished the experiment, check your pm malcolm.
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

lol sami ill put it on a web server now, shall i give everyone the address?
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

I don't see why not! :)
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

THERE YA GO PEEPS

find it here here

nice script btw :wink: [/url]
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

told ya's it worked :D
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

check here for some Brute Force Dictionary tools - http://neworder.box.sk/codebox.search.p ... dictionary

There is already and md5 attack file there but the link ain't working.

Mark
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

<--- thinks bech had that page as his homepage :D

very interesting bech good find buddy
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

ty


Yeah, great link. :)
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

obviously, you can stop this kind of brute force attack by only allowing 3 attempts at login every 5 mins or something like that, or getting the user to enter a code from an image generated by the GD functions.

Mark
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

edit: put below samis comment so message made sense
Last edited by malcolmboston on Mon Mar 08, 2004 6:35 am, edited 2 times in total.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Bech100 wrote:obviously, you can stop this kind of brute force attack by only allowing 3 attempts at login every 5 mins or something like that, or getting the user to enter a code from an image generated by the GD functions.

Mark
Not if they have raw database rows, as we discussed earlier. :wink:
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

Sami wrote:
Bech100 wrote:obviously, you can stop this kind of brute force attack by only allowing 3 attempts at login every 5 mins or something like that, or getting the user to enter a code from an image generated by the GD functions.

Mark
Not if they have raw database rows, as we discussed earlier. :wink:
True, i was talking of a web-based attack though.

Mark
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

to further divulge into what bech was saying (and to make it obvious what he was talking about)
from evil site wrote: MD5 Dictionary Attack - Program to crack md5 passwords using dictionary attack ,program name: MD5 dictionary attack, size : 226 kb zipped, 480kb unzipped , speed: 1160000 word per minute ,ver: 1.5 , supported Os: windows 98/me/2k/xp,
about the english language wrote: The OED2, the largest English-language dictionary, contains some 290,000 entries with some 616,500 word forms. Of course, there are lots of slang and regional words that are not included and the big dictionary omits many proper names, scientific and technical terms, and jargon as a matter of editorial policy (e.g., there are some 1.4 million named species of insect alone). All told, estimates of the total vocabulary of English start at around three million words and go up from there.
ok lets do some calculations here guys
lets give the english language a generous 4 million words (estimated 3 million) and bear in mind that script can do supposedly 1.16 million words per minute
holy <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> wrote:
it would take under 3 minutes to get a 'proper word' password
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

8O Impressive, yet scary. :wink:

But to make it work to it's full potential, you'd have to include all those weird scientific names, like elements and whatnot, and also bug names, etc.

And that would bring the number of entries to check nearly 10 million (rough estimate).
malcolmboston
DevNet Resident
Posts: 1826
Joined: Tue Nov 18, 2003 1:09 pm
Location: Middlesbrough, UK

Post by malcolmboston »

<--- will remember in future to make sites more secure than amazon :D
Post Reply