How Stupid do you Think I Am?

So I was looking around for a Web service that could take a string of text and return an MD5 Hash of that string, and I found something disturbing.

An MD5 Hash is a big number that is generated by doing crazy math on the original information. It has two good qualities – when you start with the same text you always get the same result, and it’s pretty much impossible to tell what the text was from the number.

A lot of places store the hash of your password, rather than the password itself. When you type in your password, it’s hashed, and the resulting number is sent over the wire. If the number matches the one in their database then you’re in.

But there is one way to crack the hash I hadn’t considered: keep a database of known strings and the resulting hash. It had never occurred to me to try to keep a table so huge, but with access to this information you could pretty easily crack passwords that lots of people use.

In my search for a hashing service, I came across one such Web site. Also on that site: a service to generate a hash for you. The message: “Hey! We keep a database of hashes to render them useless! You want us to calculate a hash for you?”

Um… No thanks?

At this point, I have to advise, stay away from Web-based hash generators. I know you were about to go and use one.

5 thoughts on “How Stupid do you Think I Am?

  1. I’m curious: you run your own server; why did you need a web-based hash generator?

    I actually made one a few years ago on my desktop workstation at work; the server that needed to generate a hash was an older turnkey system that didn’t have the necessary modules.

    • It was out of curiosity more than anything else; I was thinking of giving people a simple way to emulate my security-question-answering idea, lacking the proper browser plug-in.

      • Hah! Yes, that wouldn’t be trustworthy.

        Related, I often wonder, when I type the wrong password to get in to a site, if there are any sites that record wrong passwords when typed in. The password is often good somewhere, just not that site.

        • Yet another cause for paranoia, and a good reason to not use the same login name everywhere. More to keep straight. Really, the only way through this as far as I can tell is biometric authentication, or perhaps some sort of physical key (that might also have a thumb scanner).

  2. Since writing this I’ve been pondering countermeasures for hash databases. My first instinct was to clog the database with information. The thing is, that helps them. The more hashes they have, the more effective they are.

    But there is a cost to storing information, and the more entries in the database the slower it will be. Is it possible to make the database so big it’s too expensive to maintain? Maybe. That’s not the only cost of running the server, either. Also, adding and entry into a database is much more expensive, and generating an MD5 is more expensive yet. So, here’s my thought.

    Take a string of random letters. Use their service to generate the hash. Take that hash and submit it to generate a new hash. Repeat forever. Chances are we’re not going to be putting very many hashes into their system that anyone will ever use. It’s all just noise.

    Will I build this? Nah. I’m much better at imagining myself sticking it to the man than actually doing it.

Leave a Reply to Jerry Cancel reply

Your email address will not be published. Required fields are marked *