security - What's the purpose of brute forcing MD5 hashes?

08
2014-07
  • user1399181

    Great article about hacking passwords on Ars Technica: http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/

    But what I don't understand is why? From a black hat's standpoint, what's the benefit of having a list of passwords if you don't have the usernames/emails associated with them? Or are the usernames usually associated with password leaks?

    I'm just confused because there's all this talk about passwords, but no talk about usernames. What's so beneficial to a hacker about a list passwords? To try on another attack when you have a specific username?

    • Answers
  • Rich Homolka

    Yes, they have the usernames. But the hash tools don't care about the usernames, they separate the usernames out and only feed the password hashes to the cracking tools. Then you match the hashes that you did find to the usernames.

    Hmm, that being said, there is still some benefit if you just have the passwords. Knowing that humans are creatures of habit, you could crack this list of passwords, to kind of precompute some hashes for when you do get a list with usernames and passwords. (and have the storage for it). This is better known as Rainbow Tables

    The caveat here, is that the lists need to use the exact same hash algorithms, and no (or the exact same) salt.

    The other thing: This article (I read it too) was mostly about what the mechanics of password hash matching are. The article was written as a "how easy is it for me to break hashes" not "how do I break in". So, in this very particular case, the usernames were irrelevant for the password cracker's use. So they were not brought up in the context of this very specific article.

  • Brad Patton

    If you can compromise a system to get a list of passwords then it's likely you will be able to get the usernames as well. The interesting thing technically is to 'crack' the password as the usernames will be stored in plaintext. The article as you mention is about decrypting passwords using existing tools and techniques and the ease with which most passwords can be cracked.


    • Related Question

    security - How secure is it to use a password hash of a common English word as a WPA2 key?
  • James Mishra

    I have a wireless router, and I want a difficult password that is still, in a way, easy to remember.

    I came up with this idea to take the MD5, SHA-1, SHA-256, or whatever hash of a common English word, such as "superuser" and use the hash as the WPA2 key.

    For example, let's say that "superuser" was my word of choice. If I chose SHA-1 has my hash, I would then set up my WPA2 key to be8e67bb26b358e2ed20fe552ed6fb832f397a507d.

    Is this a secure practice? Common English words are being used--in a way--in the key, but the key itself is actually a long, complex hexadecimal string.


    • Related Answers
  • Robert Cartaino

    Unless you reveal the method of how you generated you "long WPA2" key (which you just did), it is just a random string of text which would normally be pretty secure. On the other hand, if someone knew that you were using "a common English word" and used a hash of that word as the key, anyone could quickly generate a sequence of hashes from a dictionary and break your password pretty quickly.

    If you are looking for a "difficult password that is still easy to remember" why don't you come up with a longer pass phrase that means something to you but not easily guessed by anybody else. Start with a phrase (i.e. sequence of words, sentence, etc), mix in a sequence of digits that mean something to you (apart from birthdays, phone numbers, etc), and generate a long key that is "easy to remember" that way.

  • William Hilsum

    It is as secure as any other key as long as you do not tell anyone.

    At the end of the day, your key will be using 0-9, a-f... which is actually only gives 16 possible characters instead of just a-z which would give 26. Therefore, if you think you are being smart and tell someone "I am using SHA-1", you are actually cutting down their brute force combinations by quite a few.

    Personally, I think you would be a lot better off just having a normal long word/s with a mix of case, then throw in some random numbers and symbols.

  • Arkenklo

    It is safe as long as nobody can possibly figure out the method. This of course includes bragging about it in the office, but also traces of any kind you may leave behind. As an example, if you are to connect a random user to your network, you'll probably use some kind of client-side application to generate the hash. If the random user then notices that there's an echo "superuser" | sha1sum in the log it's not too hard to add the two together.

    Seeing as you'd have to generate the hash externally, much of the convenience disappears. Generally I'd say that hashing a common word might be an acceptable way to quickly generate a semi-random key, but the key must still be copied or remembered when entering to not pose a weakness.

    The only other gain I can think of is that the key/phrase/password can be easily reproduced if lost. If above security-measures are taken I see no reason not to use hashed words as keys.