Rainbow tables are great tools for security purposes. But salting your hashes will thwart both online MD5 crackers and rainbow tables. I really hope people start to figure this out! For my sake and yours. Often times I won't use my normal secure passwords on smaller websites to to the fact that they might be hacked and have my hashes reversed. I want to know the my passwords are secure!

Sincerely, Brian http://www.NetMD5Crack.com co-owner

Drawing a picture in a paint like object wold be far more secure then using alphabetical characters, think of how many combination or.. different images you culd have? and how easy it is to remember a drawing? and there goes the key-loggers to trash as well. at the moment i am focusing on this king of autenthication method.

Ismael Pereira. Y4Solution

5869ec6f3f4160bce3e73151103e25bb password for this hash code is... 3133fde5

Due to increased interest for salted Md5's over the last months, the Md5This Team created a tool to recover salted Md5 passwords (commonly used nowadays in web applications and forums - e.g. VBulletinBoard and InvisionPowerBoard).

Currently it's not supporting brute force attacks only dictionary (the dictionary will have to be provided by you). You will need to install JRE (Java Runtime Environment - get the latest one from http://java.sun.com/javase/downloads if you don't have one installed already) on your pc in order to run it like any other application created in java.

you can find it here http://www.md5this.com/tools/dictionary-password-recovery-tool-for-salted-md5s.html

and also now there is a private password cracking service .. FOR FREE !!! you submit your hash and you receive it cracked bY email .. http://www.md5this.com/submit-your-hash/index.php

and also if you are lucky enough .. you can crack your hash on online cracker at http://www.md5this.com/crack-it-/index.php

Can anybody help me to crack "7ded66214e9a4a13" ( MySQL4.0 )

Perhaps someone will find this useful: PHP to encrypt using SHA512 with a random 8-character non-ASCII salt key.

<?php
   // Encrypt a password using SHA512 and 
   // a random 8-char non-ASCII salt key
   //
   // Requires PHP 5 >= 5.1.2 or PECL hash:1.1-1.3

   $password = "taschl3";
   $random_salt = "";
   for($c = 0; $c < 8; $c++)
   {
      $random_salt .= chr(128 + rand(0,128));
   }

   $sha512_encrypted = 
      hash_hmac('SHA512', $password, $random_salt);
		
   echo "<pre>";
   echo "password:\t" . $password . "<br />";
   echo "random_salt:\t" . $random_salt . "<br />";
   echo "SHA512 hash:\t" . $sha512_encrypted . "<br />" ;
?>

A good online md5 hash database can be found at www.md5hashes.com - it has come in use a few times!

it's 3133fde5

want to find more? we created a project since 2004, you might find us at: www.plain-text.info <-- web project irc.governmentsecurity.org / #rainbowcrack irc.plain-text.info / #rainbowcrack irc.nodrama-irc.net / #rainbowcrack all 3 networks are linked using one main bot called C3P0

allows to crack not just md5 but LanManager hashes (aka windows) and NetworkLanManager hahses

Please check 5869ec6f3f4160bce3e73151103e25bb What it is? It is very important?

>> imo md5() isn't mysql but php function.. ;] greetz ;]

md5 is a hashing algorithm. Most programming languages have an IMPLEMENTATION of md5. php, perl, Java, Javascript, etc.

Try to google "md5 <programming language here>"

imo md5() isn't mysql but php function.. ;] greetz ;]

for checking md5 hashes, http://www.hashchecker.com

hi there

please i hope you can help me i lost control over my vb board for some sick persone and i had took the chance and downloaded the hashed pass today ,
can you decrypt it and give me the pass please

the hash:

4190f6cf46101fc470fc048f4a17b029

yours hamad

hamad [the.empirror@gmail.com]

Thanks for the Info buddy, Now I can do get some passwords i need :D

Dhil

Salting: concatanating a string of (known) random characters to a password/phrase before hashing. The salt is known by the system, but should be stored separatly from the passwords. This makes it difficult to use lookup tables against passwords - especially if the salt has non ASCII characters in it. Note that it is slightly better to put the salt at the end of the password, since having more randomness at the start is better.

BTW, I wouldn't be too concerned about the lack of salting in the MySQL implementation. You can very simply combine the salt with the password in code and then use MySQL to hash it.

If you are concerned about security you shouldn't really be using MD5, either since it has been found to be not as collusion resistant as was expected. SHA is a better choice.

Finally, consider the threat model you are dealing with here. If someone is using lookup tables on hashed passwords then they have access to your database. It's probably easier for them to crack the system by inserting a known hash value into the password table or by sniffing unencrypted traffic on your network. Since they are easier for an attacker they are the threats that should be dealt with first.

Summary: First keep your network secure, second use a random non-ASCII salt, thirdly consider moving to SHA

Nick Lothian

Alan,
If you are passcoding, hurrah for you! NONE, repeat NONE, of the major ecommerce sites I have worked for passcode. Even the big site I architected, (and sold last year for $3.2B USD-you know who), did not passcode. I tried in vain to make the CIO understand the need. All data including credit # were in plain text, for all with access to see.
If you find a secure mechanism, please post back, I would be very interested. We are doing a custom encode() decode() for passcoding and for other senstive data but would prefer a tested algorithm.
Mica

Mica Cooper

Thanks for the explanation Charles. I admit I don't know this world very well. Incidentally the 47GB comes from this site here http://passcracking.com/ which was the original site I found the link to RainbowCrack.

I take your points on password cracking, but the reality of it is that the majority of websites are only asking for 6-32 characters for their passwords. Ironically only this morning i bought flights from Expedia.com and looked up stats on JavaBlogs. Both of those sites I had forgotton the password for and they were emailed to me inviting me to put in another one.

It doesn't really matter at this point what algorithm they are using to store their password in, but the point is the narrow window of flexibility in which the majority offer to have their password expressed in. I agree with you Charles, based on the figures you presented, there is a lot we can do to make things a lot harder to crack.

Okay, time for a question to you Charles since you appear to know quite a bit about this world. What is the technical definition of 'salting'?

Visit me @ http://compiledby.spikesource.com/

47Gb? Where's that number from?

From the documentation I could see, the lookup table for eight-character [a-z0-9] passwords is 36Gb. Unless my mathematics is way off, extending that to [a-zA-Z0-9!@#$%^&*] would add an extra bit to the search space for each character, multiplying the lookup table size by something like 2^8.

The LanManager "everything" table is 64Gb, but LanManager is a broken protocol: 14-character passwords are stored as two seven-character hashes, so your lookup table only has to calculate up to seven-character passwords. (This is fixed in modern versions of Windows, the problem only persists with networks that haven't yet turned off the insecure backwards-compatibility switch).

A good pass-phrase is easier to remember than a good password: the human brain is wired to remember words in a way that it can't remember random text.

A well-selected password probably has around six bits of randomness per character. A badly-selected password is probably closer to five bits. So let's say a good eight-character password is 48 bits. Which means 2^48 tries to cover the whole space, or a lookup table with 2^48 entries.

English text has about 1.3 bits of randomness per letter, but for something like a passphrase that is selected to be distinctive, you could lift that to 1.5. So to have a passphrase _theoretically_ as resistant to attack as a well-chosen 8-character password, you'd probably need about a 35-40 character character passphrase.

The passphrase I made up above is 47 characters, which would be between 61-70 bits of randomness. 2^61 is a pretty big number to brute-force, but it's doable on a distributed attack. There's no way you'd be able to build a lookup table that size, though.

Of course, it's practically harder than that to crack a pass-phrase. That '1.3 bits per character' figure is based on the redundancy of the English language - so to build a cracking tool or lookup table, you couldn't just run through every possible combination of letters and numbers, you'd have to have a particularly good understanding of cryptology and linguistics to start with. The effective strength of the password against this kind of mass-produced attack would be far higher than its theoretical strength.

Charles Miller [cmiller@pastiche.org]

You are absolutely right Charles about the pass phrases as oppose to simple passwords. But if you look around the majority of sites ask for passwords between 6 and 32 characters and when you have this, you are running the risk of being hacked.

That said, you think this is more for the convienence for the user? Remember something that has only 6 chars is much easier and less error prone than a pass-phrase.

As for the size of the lookup table; yes it runs into GB's. Their docs say if you want to generate the whole lot it will be around 47GB. Otherwise it will simply generate them on the fly as it tries out each combination. I only generated around a 1GBs worth of lookup tables which was enough to crack the majority of passwords under 2 seconds. Others took a little longer. There is a webservice kicking around where you can submit your MD5 and it will email you the result when its completed.

Visit me @ http://compiledby.spikesource.com/

What character-set and password-length did you use to generate your lookup table? For mixed-case passwords containing digits and punctuation (which has been the recommended password format for at least ten years), you need a pretty big lookup table.

Anyway, this is why passwords are so very 1990's. The noughties are all about (at best) two-factor authentication, and (at least), pass-phrases. After all, all MD5 hashes are 128 bits regardless of input size, so the password itself can be arbitrarily long. Try making a lookup table that includes things like "Hey, Vicar? I honestly didn't see that before!"

Charles Miller [cmiller@pastiche.org]

That's why you need to use a salt with MD5 and other hash algorithms. Using a salt makes it exponentally more difficult to execute a brute force attack against the hash.

Rob Brooks-Bilson [rbils@amkor.com]