|
|
|
|
Thread title: Should we be worried? |
|
|
|
|
|
Thread tools
Search this thread
Display Modes
|
|
10-01-2005, 04:06 AM
|
#21
|
Status: Junior Member
Join date: Jul 2005
Location: Utah
Expertise:
Software:
Posts: 73
|
Originally Posted by Salathe
Reality Check
If you don't know what MD5 is all about, then it doesn't affect you.
If you do, then you're free to make up your own mind.
|
Then what's this talk about passwords? I use passwords.
|
|
10-01-2005, 04:34 AM
|
#22
|
Status: Narassist
Join date: May 2005
Location: USA
Expertise:
Software:
Posts: 4,469
|
So far they haven't beable to transilate it over when MD5 doubles the encryption due to certain repeat variables... That's one good thing
|
|
10-01-2005, 05:34 AM
|
#23
|
Status:
Join date: Dec 2004
Location: California, US
Expertise:
Software:
Posts: 406
|
OK sorry but this is bugging me...
MD5 is a one-way encryption which will turn a password such as "doodoo" into "112dcee9b72eb88c7e512a1d93031247". That is known as it's MD5 hash, that hash is stored in the database rather than the actual password. This is so if the database is ever compromised, the hacker cannot see the user's password because MD5 is a one-way encryption (Means you cannot run a simple function to convert it back, there is NO way to write a function to convert it back). The hash is used when you login to a website, the PHP program compares the MD5 hash of the password you provided with the one it has stored in the database. If the passwords are the same, the hashes will be the same and you will be logged in.
Sites such as this are dangerous because they are creating an archive of known passwords and their MD5 hashes, so ABSOLUTELY THEORETICALLY AND IN VERY VERY VERY RARE CASES, if a mean forum admin was going through their database and viewing the passwords and wanted to get Joe Dirt's password (which is in the database as "112dcee9b72eb88c7e512a1d93031247") they could go to that site and type it in and the site would result in "doodoo".
There are even programs which will use a brute-force technique, which means it will test every single combination of letters/numbers/lengths to see if it can find a password to match your hash. If you have a password that matches their hash you can obviously log in as them (DANGEROUS).
However, if you use an alphanumeric password (containing both numbers and letters) and at least 8 characters long you can consider yourself safe as it would take several YEARS of intense computing power to even come close to cracking your password.
Now you know a little bit about MD5 hashes and their importance.
Regards,
Patrick
|
|
10-01-2005, 06:36 AM
|
#24
|
Status: Simply to simplify
Join date: Apr 2005
Location: Foxton, Manawatu, New Zealand
Expertise:
Software:
Posts: 5,572
|
Cheers Patrick, I thought it was something along these lines. Could be scary if someone got hold of peoples passwords.
|
|
10-01-2005, 08:37 AM
|
#25
|
Status: Member
Join date: Aug 2005
Location: Melbourne, Australia
Expertise:
Software:
Posts: 419
|
I read the other day that Md5 was still today irreversible, I guess its not anymore, thats not very good. I don't know if I like this too much, it shouldn't be allowed.
[edit]
I just ran a few of my passwords through it and as long as you don't enter your password first they shouldn't have it on record, so it doesn't really reverse your string as such, just looks to see if the word is already on record, I got a lot of blanks back which is good, so it means MD5 is still irreversible ... to a degree.
|
|
10-01-2005, 03:01 PM
|
#26
|
Status:
Join date: Dec 2004
Location: California, US
Expertise:
Software:
Posts: 406
|
Mickoc,
MD5 is not reversible in any sense. What's happening is people are making databases of passwords and hashes which others have provided. This isn't reversing them, but as long as people are able to create the has one-way, you can't stop someone from making such a database.
If it makes you feel better, for every character that you have in your passwords, in order to brute force your password there are 64^n possibilities (Meaning 64 to the nth power, n being your the number of characters). So if you have a 10 character password (Like I do for my secure sites) the hacker would have to go through 1152921504606846976 different hashes before they would've found mine. (Assuming 100,000 hashes a SECOND, that's still 365,589 YEARS). So pretty much as long as your password is more than 7 characters or so (500 days of computation), you are in the clear
PS: Don't EVER test those programs with your actual password since it will show you the hash AND save it in the database.
Regards,
Patrick
|
|
10-01-2005, 03:40 PM
|
#27
|
Status: The BidMaster
Join date: Nov 2004
Location: England
Expertise:
Software:
Posts: 10,821
|
Thanks for all the information Patrick
|
|
10-01-2005, 03:41 PM
|
#28
|
Status:
Join date: Dec 2004
Location: California, US
Expertise:
Software:
Posts: 406
|
Originally Posted by Robson
Thanks for all the information Patrick
|
I do what I can Espcially when something that could be potentially worrisome to the uninformed comes about.
Regards,
Patrick
|
|
10-01-2005, 05:37 PM
|
#29
|
Status: I'm new around here
Join date: Sep 2005
Location:
Expertise:
Software:
Posts: 9
|
dc57f0af5f7cfb9e2c834f4beba25e04
|
|
10-01-2005, 11:27 PM
|
#30
|
Status: Member
Join date: Aug 2005
Location: Melbourne, Australia
Expertise:
Software:
Posts: 419
|
Thanks Patrick I wasn't sure of those calculations, but I haven't been worried in the past and I'm still not too worried now about this thing anymore because someone still has to enter in my random passwords before they can get the key.
When I said I put my passwords in I used the hash keys, not my actual password and i didn't throw me any results, so I'm not to worried.
|
|
|
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
|