md5 brute forcer?

[John]

The md5 checkers will generate the same hashes for the "good" file and the "bad" file.

[TcM]

Wow, so how is this crack implemented.. is it an addon binded/bound with the "bad" file? or it's a piece of code you compile with the program?

[John]

Here is probably the most useful line on the internet regarding md5 collisions. I can't figure it out.

Personal page: Vlastimil Klima, Dr. (In Czech: Vlastimil Klíma)

[TcM]

Dam that is amazing. I downloaded pack3.. the only thing that I noticed was.. that both generated files package1 and package2 had the same file size.. and the same md5! I checked it myself because I couldn't believe it. I used VisualBasic and created an empty form, then exported it to a .exe and checked the md5 then changed the project name from form1 to form2 and the md5 was completely different, so I would say that having 2 packed files both containing totally different files.. there should be a big difference too!

But then I downloaded md5tunnel.. and I didn't get what it's supposed to do.

And what can't you understand? The Answer to my Question?

I love this stuff.. but it is so complicated!

[monkey_instinct]

I think there are attempts for a better md5. What about the SHA1 algorithm. Is better since it uses 40-character hex string.

[John]

Quote:

And what can't you understand? The Answer to my Question?

I don't fully understand how the md5 hashing algorithm works, how collisions are created, or how to get those programs to do what they are suppose to.

[TcM]

Hmm I understood how to use one of those programs and I must say.. it's amazing! I was super surprised. I can't understand md5tunnel though.. and of course the algorithm of md5 and collisions..

[WingedPanther]

SHA1, and some of the hashes since it are all better than MD5, but MD5 is still useful for basic data-integrity checking.

[Stripes Fan]

MD5 fingerprints can be made more secure with more than just the failsafe of a fingerprint match.

for example, lets say someone has the password "cherry5"

You could not only require a fingerprint but also store that the password/file must begin with the letter/byte "c"

You could also require that the password/file have exactly 7 bytes/characters.

From what I've seen most software's don't incorporate this, it's just something that I thought of when I noticed the combination limit to md5.

[Walle]

Quote:

Originally Posted by Stripes Fan

MD5 fingerprints can be made more secure with more than just the failsafe of a fingerprint match.

for example, lets say someone has the password "cherry5"

You could not only require a fingerprint but also store that the password/file must begin with the letter/byte "c"

You could also require that the password/file have exactly 7 bytes/characters.

From what I've seen most software's don't incorporate this, it's just something that I thought of when I noticed the combination limit to md5.

In my humble opinion, specifying the length and first character of the passwords is a really bad idea, since it will weaken the overall security.
Basicly, you are telling the hacker what the length of the password is, and also providing the first letter. Thus eliminating lots of possible combinations.

Assuming that possible characters in the password are numbers 0 through 9 and characters a through z and A through Z, we have a total of 60 different characters.

By specifying a required password length, we are actually limiting the total number of possible combinations from virtually unlimited down to 60^7. For simple brute force hackers, this would probably not change the time it takes the hack the password, but in more advanced brute force hackers it would definately shorten the time needed to hack the password.

Specifying what the first letter should be makes matters even worse. By specifying what the first letter should be, we're actually limiting the number of possible unknown kombinations from 60^7 to 60^6, which is going from a total of 2.799.360.000.000 possible combinations down to only 46,656,000,000. The percentual change is 98.33% (60^6 is 98.33% less than 60^7, or if you will, 60^7 is 6000% larger than 60^6), and that's quite a lot.

I do understand the way you're thinking, eliminating possible md5-collisions will strengthen the system. Yes, in theory. But by doing that, we weaken the security against brute force attacks so much that it by far exceeds the gain of security we were looking for.

Best regards, Chris