Follow us on Twitter!
Capitalism is an Island of wealth in a sea of poverty
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 23
Guests Online: 20
Members Online: 3

Registered Members: 82885
Newest Member: ConiBE
Latest Articles

Md5 and dictionary words

Arrow Image How to prevent dictionary words in md5



What is this article about:
Alot of times people are to stupid to use dictionary word as a password.
(Web)programmers know that dictionary words as password are unsave.
But alot of time’s they forget that “normal” people still use dictionary word as passwords
and they don’t “protect” there site for this.

Exemple:
Lets say a website maker decrypt his members passwords as md5.
He thinks his members are save. Even if a hacker gets a md5 hash or database backup.
Because he thinks md5 can’t be decryted.
Now a member’s password is “secret” and the hash is 5ebe2294ecd0e0f08eab7690d2a6ee69.

Using a simple Md5 lookup table (www.md5lookup.com) we can find the password; “secret”.
(brute forcing it would ofcourse work but would take longer.)

Prevent it:
This is easy.
-You can add a prefix to the password.
-You can also double crypt it
-Or both (php example)
Code

<?php
$password = "secret";
$salt = "567_";
$new_password = md5(crypt($password, $salt)); /*thanks to Grindordie for the tip on the crypt function so it isnt random*/
echo "Dubbel encryted hash:  ".$new_password;
?>




This will make a0b6da60b13c51db029f75f33e4c139f. Cracking that would be alot harder.
Because encryting this won’t make a dictionary word and have to be brute forced.
Saving $new_password to the database would be saver. Then Just $password.
Decrypting it isn’t impossible because every encrytion can be decrypted using brute force.
But it would be very hard and take ages.

The end:
That was it.
Please rate.
Goofy

Comments

Arto_8000on September 25 2006 - 22:50:37
Well if the personn don't know it's salted it's harder to decrypt for sure but if he know how it's salted it's the same as cracking a normal md5 hash. BTW double encryption have already been covered on this site try to post new stuff not stuff that we have seen over and over.
goofyon September 26 2006 - 14:09:24
Thanks Grindordie. Didn't know that.
Post Comment

Sorry.

You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.