Topic awaiting preservation: md5 security — OZONE Asylum, home of the Mad Scientists

Topic awaiting preservation: md5 security $Pages that link to <a href="https://ozoneasylum.com/backlink?for=28955" title="Pages that link to Topic awaiting preservation: md5 security" rel="nofollow" >Topic awaiting preservation: md5 security\$

Author	Thread
Moon Shadow Paranoid (IV) Inmate From: Paris, France Insane since: Jan 2003	posted 02-18-2007 01:31 Hi guys, Something has been on my mind lately and I'd like to know your opinion about it. A few weeks ago, I just stumbled upon a md5 database project at New Order. Maybe it's old news to you, but I personally didn't know there were reverse databases already up and running. Well, this one is "only" 416Gb and has 90 billion entries... I tested it with various md5 hashes from some websites I made, and it recovered all the passwords in less than a second. Which was quite scary to me. Ok, all these password were plain text, but I mean... Hell, I though md5 was quite secure So I went back to the source, the good old md5 manual page. Nearly every comment there was about the 'best and secure algorithm', saying the other was wrong etc. After that, I felt a bit confused as to what was secure, and what was not. I did some more research and found the Project Rainbowcrack. I found this website to be extremely interesting, alas it also told me that anyone with enough CPU time and disk space could generate rainbow tables for nearly every hash and every charset, including md5. So... I was back to the original problem : is there a way to generate secure md5 hashes ? And by secure I mean beyond decryption. I've thought a few days about it, and the solution I came up with was to add a salt with special characters such as alt + xxxx to the md5 string. This would be quite secure imho, but that wouldn't work if somebody included theses characters in a md5 rainbow table. I'm sure at least some of you dealt with such security issues, so I'd be interested in knowing what solution you came up with. Also, if you have any other thoughts about that... I'd be more than happy if you shared them PS : I know I will probably never have the use of such secure hashes. I know I'm kind of looking for a holy grail. But hey I am really curious about security issues such as this one, and actually I want to know exactly how secure is what I code. ---- If wishes were fishes, we'd all cast nets. (Edited by Moon Shadow on 02-18-2007 01:56)
reisio Paranoid (IV) Inmate From: Florida Insane since: Mar 2005	posted 02-18-2007 02:49 quote: Moon Shadow said: is there a way to generate secure md5 hashes ? And by secure I mean beyond decryption. Nothing is beyond decryption. If you don't want people to see it, don't put it in public view.
rukuartic Bipolar (III) Inmate From: Underneath a mountain of blankets. Insane since: Jan 2007	posted 02-19-2007 04:33 Three can keep a secret if two are dead. Can't remember who said that. rukuartic@halflght:~/$ whatis life life: nothing appropriate.

Hi guys,

Something has been on my mind lately and I'd like to know your opinion about it. A few weeks ago, I just stumbled upon a md5 database project at New Order.

Maybe it's old news to you, but I personally didn't know there were reverse databases already up and running. Well, this one is "only" 416Gb and has 90 billion entries... I tested it with various md5 hashes from some websites I made, and it recovered all the passwords in less than a second. Which was quite scary to me. Ok, all these password were plain text, but I mean... Hell, I though md5 was quite secure

So I went back to the source, the good old md5 manual page. Nearly every comment there was about the 'best and secure algorithm', saying the other was wrong etc.

After that, I felt a bit confused as to what was secure, and what was not. I did some more research and found the Project Rainbowcrack. I found this website to be extremely interesting, alas it also told me that anyone with enough CPU time and disk space could generate rainbow tables for nearly every hash and every charset, including md5.

So... I was back to the original problem : is there a way to generate secure md5 hashes ? And by secure I mean beyond decryption.

I've thought a few days about it, and the solution I came up with was to add a salt with special characters such as alt + xxxx to the md5 string. This would be quite secure imho, but that wouldn't work if somebody included theses characters in a md5 rainbow table.

I'm sure at least some of you dealt with such security issues, so I'd be interested in knowing what solution you came up with.

Also, if you have any other thoughts about that... I'd be more than happy if you shared them

PS :
I know I will probably never have the use of such secure hashes.
I know I'm kind of looking for a holy grail.
But hey I am really curious about security issues such as this one, and actually I want to know exactly how secure is what I code.

----
If wishes were fishes, we'd all cast nets.

(Edited by Moon Shadow on 02-18-2007 01:56)