An unorthodox authorization - should I even consider it...?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: An unorthodox authorization - should I even consider it...?

Post by Mordred »

Yes I do, and no, you wont ;)
I'm challenging your "ridiculously easy" phrase. You generally know your stuff, you give good security advice, but you gotta learn to watch your mouth when using such hot words.
(If you do crack it, I'll send you as much flowers as there are chars in the secret ... it's gonna be a big bouquet, hehehe)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: An unorthodox authorization - should I even consider it...?

Post by kaisellgren »

Mordred wrote:Yes I do, and no, you wont ;)
I'm challenging your "ridiculously easy" phrase. You generally know your stuff, you give good security advice, but you gotta learn to watch your mouth when using such hot words.
(If you do crack it, I'll send you as much flowers as there are chars in the secret ... it's gonna be a big bouquet, hehehe)
Well, okay. Maybe "ridiculously" is exaggerated, but... it is rather possible. I have been trying to crack that challenge in background, I have checked 1 000 000 000 000 passwords so far :P I'm using ASM and my 8800 GTX, 210 000 000 hash calculations per second. My card is also underclocked, and I have only one card. I bet you could easily reach at least 1 500 000 000 calculations per second on one computer. If you had money, then you could futher improve all this yet I am just using regular gaming GPUs here, which are much slower than the best ones NVIDIA can offer us.

If you have the money, it is easy to crack. Now, it is not ridiculously easy to have money, but there are people who have oil wells on their backyard and literally people who are filthy rich. It does not matter can some guy on a forum crack it, all that matters is whether there are people who can do it and more importantly, who are willing to do it.

Code: Select all

$kai = new kai;
$msg = $kai -> get_message('9th March 2009, 16:20');
$msg = str_replace('ridiculously easy','possible',$msg);
$kai -> modify_message('9th March 2009, 16:20',$msg);
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: An unorthodox authorization - should I even consider it...?

Post by Mordred »

Oh so you tried it, eh? You Finns with your cold weather and hot blood ;) Stop and think about it!

If you retract your words, your statement about the MD5 becomes moot, bruteforcing "works" against all hashes. MD5 is not inherently weaker (as of what is currently known) than the other popular hashes in this scenario, there are no known attacks that make it weaker in this case.

Bruteforcing is a game the cryptographers love to play against the crackers: adding linearly more characters to the secret will make the problem exponentially harder for the attacker.
Dividing this by a constant, even a large one because of faster hardware will not change things. Bruteforcing doesn't work against well-chosen (i.e. LOOONG) plaintexts.

So, forget about the flowers, you can't get 'em, not in the lifetime of the Universe ;) :)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: An unorthodox authorization - should I even consider it...?

Post by kaisellgren »

Some one can do that, but not me :(
Post Reply